Category: ERM, GRC

Meet no more, continuously, and excel

I posted before on the atrocities of current-day meeting practices. And on the changing role of the Document, here.
The latter, provided some thought towards predicting the demise of the former: When we’re connected (at the information level, not mere technically) constantly and continuously, wouldn’t all the errors of meetings be resolved (resolvable) by not having them anymore, or at least, re-styling them in a wholesale manner?
First, a picture:
[Reflections of – the way life used to be (lyrics)]

I mean, all the meeting errors have been allowed to play out because the in-charge’s liked them, for the display of faux leadership caricature they provided. But with the change towards always-on mesh communications, which is do-or-die, the very reasons to have meetings diminishes. Social advantages of meeting F2F, that were collateral ‘damage’, may still be around but in the form of having drinks. Who’d need more? and now recognize the benefits outright, without the formal hassle and hilarious chair and topper pomp.

Though I treasure the value of the Document, if, very big if, it is in itself an attempt to Masterpiece. Which it sometimes is, in organisations, but then, so desperately few would survive public muster. Yes, there’s a trend towards deployment of Narratives everywhere. But that’s not what I mean here. I mean stuff like Books, nuggets of Culture carried through the ages. Where mere documents, even, let alone casual socmed conversations, will leave no (! storage re-use needs, TLA?) trace of your existence. As the Greek Hell beyond the underworld: In the underworld, even the villains were still known by name. But beyond that, in Hell, wailed the spirits of the Forgotten, the nameless. That truly was as bad as hell could get. And, of course, true heroes would attach to the pantheon, become stars and constellations. Do you strive for that, when filling out the TPS report at Initech? If you had to look that up, you’re on the naïve side of young…

Well then, to summarise: Meeting mania is curable, and Documents sharpen our skills. What a blunt conclusion. But don’t blame me when your greatness takes off.

Clustering the future

Was clustering my themes for the future of this blog. Came up with:
Future trend subjects[Sizes, colours, or text sizes not very reflective of the attention the various subjects will get]
Low sophistication tool, eh? Never mind. Do mind, to comment. On the various things that would need to be added. As yes I know, I have left much out of the picture, for brevity purposes. But will want to hear whether I missed major things before I miss them, in next year’s posts. Thank you!
And, for the latter,
DSCN0924[Bah-t’yó! indeed]

Pulling, and pushing the compliance boundaries

A reblog again, delving into the breath of being the peers that pressure towards conformity or be the Maverisk that wants to prevent stale and mould. Read past the starting stuff, and find the value of nonconformity explained. If you don’t see that… You may be the one most in need …
And,
??????????[Accelerating, not so bad]

SPICE things up, maturely

Where just about everyone in my Spheres was busy ‘implementing’ (quod non) all sorts of quality ‘assurance’ or ‘control’ (2x quod non) models, in the background there was quite some development in another, related area that may boomerang back into the limelight, for good reason.
First, this:
DSCN8573[Zuid-A(rt)sifyed]

The subject of course regards SPICE, or rather the ISO 15504 that it has turned into. Of the Old School of software development quality improvement era. Now transformed into much more…
In particular, there’s Capabilities instead of ‘maturity levels’.

What more can I add ..? Systematic, rigorous, robust, resistant against commercial panhandling. The intricacies … let’s just point to the wiki page again; ’tis clear enough or you need other instruction…

Lemme just close off with asking you for your experiences with this Standard…?

Unfreeze, the quest for ~ in business

How do Those In Business that deal with the all-sorts of überbureaucratisation, think the Second Law, of thermodynamics of course, wouldn’t apply to their work as well?
Let’s kick off with:
DSCN8580
[Appropriately named the Airplane building. Zuid-As]

Happened to attend a conference last week. And was able to read back a great many days of twitter feed. Due to the utter boredom. Because the presentations were all about … introducing control frameworks, under the guise of governance frameworks, that aren’t (fact).

  • Still, all was presented as if there would be little in place already;
  • Still, it appeared none looked past ‘first-time’ implementation. Albeit that some (not all…) mentioned the repeat of the PDCA (some, as just an element of a PDCA cycle they, how Ecce Huomo, completely erroneously mixed up with the management control cycle!), none seemed to have had any experience with an actual (hence very shoddy) implementation of ‘GRC’ let alone found the root cause of its continued, law-of-nature certain decline. Law of nature, as the system of control of which we speak, having entropy-aversion as its rationale, will suffer from the Second Law of Thermodynamics. The entropy of a closed system never decreases. These systems, leak all the way, and aren’t rigorously consistent and/or stable in the first place. I.e., all these systems tend towards Chaos; no Man, half-god or god(s) has ever been able to (or wanted to!) prevent this.
  • As if the concept of Life Cycle wouldn’t apply to the totalitarian system of bureaucratic control that GRC is; the Decline has been set in everywhere as it has set in throughout the Culture Of GRC.
  • As if there weren’t already serious errors in the system itself: Trying, repeat ad nauseam, in vain to control the uncontrollable, to capture the thing that is defined by its escape from control, i.e., Risk.
  • As if it were a good thing to consider GRC as necessarily (sic) one-size-fits-all within an organization; all elements should be in all corners. That is not ‘governance’ (which already is nothing in itself) but genocide-by-dehumanization-and-slavery over all involved.
  • As if GRC isn’t self-defeating or rather, self-destroying by crushing initiative (that necessarily is over the edge of Control’s allowance; the more perfect GRC the more so!) and hence straightjacketing anything and everyone into tighter and tighter harnases whilst the competition, muddy-ocean to blue ocean whatever, would not overrun and eradicate your organization. ‘The fish starts to rot at the head’, here too.
  • As if… as if the step-wise activities approach still depicted, would possibly work anywhere and not fit, as any day at the office (sic) would be swamped with all activities all the time in an insurmountable mix.
  • Where the likes of Nassim Taleb did already prove that when one thinks to control better by being displayed less variance in some results variable, that is only a sign of the powers of nature prepping up for the big Bang that kill those very results. Which is the force of nature, demonstrated since the dawn of humanity to having plagued all systems of cooperation and society: The Apollo side may think to triumph, but the Dionysos side in Man will get even no matter what. The more the latter is pushed aside, tha harder it will strike back in unforeseen directions. No doubt; fact of godly nature.

You get it. I hope. Now, go understand Road to Nowhere.

The two faces of digital transformation

A plain reblog from Esko Kilpi, on the future of information flow within the organization. Very thoughtful. If only you’d be allowed to read it and not be stuck in printed documents …

Short note: Büro muss sein

Yet again, there was clarification re the demise of organizational culture … into totalitarian bureaucracy, greenwashed in ‘modernity, coolness and hipness’ with some doublespeak / newspeak and beards.(in Dutch >:-|):

Which would be nothing new for you if only you had been reading up on this blog over the past year…

But you didn’t, and maybe I can’t blame you – despite wanting to.
To add to the above, it seems to have escaped many that in the Netherlands, there is no such thing as ‘working’. Oh well, a few underlings do that, apparently. But the masses, and us the elite (quod non), rather dabble in ‘managing’ and ‘leading’ to the extent feasible without being accountable for anything. Because the anything will be failure, and we know that, but just don’t want it to happen on our watch après nous le Déluge. Whereas worker time is preferably continuous without disturbance in particular not with useless meetings, manager time is meetings. Meetings is ‘work’. Hence, to work really hard, one has to meet really hard. All the time. And since there would be a danger in doing anything useful during those meetings, like having accountability shoved onto one, one would rather just demonstrate to be really good at managing, i.e., meeting. Through not doing anything useful in them… A modern manager’s job description is to have meetings, isn’t it ..?

Alas, this will mean totalitarian bureaucracy will reign, where following procedure is far more importanter than doing any work. Meeting procedure in particular.
Whereas we would want:

But as long as the managers have it, rules will rule and being effective is a threat to the status quo that benefits the ones who can only perfect their being bureacrat also to prevent being found out about incompetence to do anything useful. It is just collateral damage that this blocks you from doing the best you can, and also all new flex work from home (Why? Why not a tropical beach?) schemes can not be made to work (sic), as the ones who would let us (not: lead us..!), lose too much by letting us.

This story to be continued…

[Edited to add:

  • BTW 1: Don’t take me for a misanthropist on this issue; I really do expect an Age of Aquarius breakthrough after IoT has delivered the Singularity
  • BTW 2: The above, isn’t new. My brain reminded me of this masterpiece of masterpieces, to be read nay studied in its full, 2-part/volume extent.]

[Edited to add, too, two data points in this here blog post that bear out my idea(s), big if you could call them that.]

At least, you can have your PIA

Privacy Impact Assessments are treated much too much as an assumption in (new European regulations’) privacy-anything these days. Yes, PIAs are a critical step, on the very critical path towards compliance in substance. Since when they aren’t done well if at all done with any true attention and intention, your compliance effort will fail, if not formally then in practice – with equal serious break-your-business high-probability risks.

First, this:
20140905_201502[Heaps upon Sea again indeed]

The point being; PIAs should be done with an actual interest in privacy (of stakeholders) protection. When done less than full-heartedly, the results have hardly any value. Because that would demonstrate one doesn’t understand the ethic imperatives of privacy protection in the first place. From which would follow all required (other) policies and measures would be half-hearted, ill-focused, and sloppily implemented ‘as well’. Which isn’t the stretch of reasoning you picked up on first reading this…

And then, a great many organisations don’t even start with PIAs, they just jump in at all angles and steps. With PIAs still being required, not full-heartedly carried out somewhere during or after the fact,where all the rest is implemented on assumptions that will not be met.

To which I would add: In the above, ‘you’ regards the ones in control (“governance”, to use that insult) at organisations that would have to be compliant. Not you the advisors/consultants, internally (in 2nd and 3rd LoDs) or externally, that push organisations. [Don’t! Just tell, record, and after the disaster ‘told you so’ them. There’s no use at all kicking this dead horse.]
But oh well, why am I writing this? Why am I hinting at ethics in your governance? That’s an oxymoron at your organization – do you claim to have the one or the other?

Feel free to contact if you’d like to remedy at least this part of your Privacy non-compliance…

Regulation Renegation Abomi nation

So, after privacy-enhancing regulations finally got some traction here and there – mentally, hardly in implementation yet – we’re getting the full bucketloads of bovine-produced fertilizer regarding adapted protection through ‘Data Use Regulation’.
Which already throws back actual regulation in intent and in the letter of it. But has many more nefarious consequences… As is in this article; couldn’t word it better.

We should be vigilant …

For now, I’ll leave you with this:
DSCN7182[A spectacle, Jerez]

IoTSec from IAM at entry to the end node

Now that you all are so busy implementing Internet of Things pilots everywhere, I mean at home like with this and this, but B2B everywhere as well (…!?) or are you doing it there not too, we may need to consider Security.
Yeah, Hans Teffer did a great piece on that (see here, in Dutch) and I blogged about that before [and many more links/posts…]. And, there’s quite some other issues with IoT. But the point here is – we haven’t thought of security before implementation.
And at the very few implementation’lets of IoT we see so far, security seems absent. Of course, you’d first want to make it work in the first place. But you’re doing it not right at the start, and you know that decisions made now (implicitly) will remain in the architecture for decades to come, in particular when today’s (almost) stand-alone implem’s become linked up into one giant uncontrolled, uncontrollable mesh.

Now, first, an intermission:
DSCN0113
[At dawn]

So, ‘we’ all have been complaining about the security risks of IoT here and there and everywhere, in particular re the current risks of all sorts of industrial control being hooked up to the ‘net without anyone knowing or caring about proper sec.
And still then, we haven’t progressed beyond this Boy Crying Wolf position. Instead of moving to provide solutions. To begin with architecture ideas, the kind that we will need in order to branch out of the simpleton pilots.

On a walk, it struck me that one major part of any solution would be with Identification, Authentication (A1), and Authorisation (A2) – in particular at each and every end node in the network, the kinds you would want to reach to transit back to the Real, Physical world of Things and which are supposed to move ever closer to some form of smart dust… Whereas now, we often have the I and A1 usually at the front door, and the A2 somewhere in the/a network usually ‘near’ the end point (which also usually, is a relatively compute-enabled ‘large’ thing like a server with data).
Clearly, with the IoT we’ll need something else. All end points may float around somewhere out there, uncontrolled, un-tied-down in the giant global mesh network architecture. We will be systemically unable to tie any A2 server to an end point or vice versa (smart dust, spread out, remember), and the IA1-part will also be much, much less definable than it is today. But then, we’ll need much finer-grained access control at the end point, and much more flex at the (IA1) entry point or we leave it all free for all and only at the end point, the destination, check IA1 (again). For this IA1A2 at the end point, we need to consider:

  • The end point(s) will very probably have very limited computing capacity; even with Moore et al., this will still lag required resource in a big way – because any type of ‘attack(er)’ will have vastly more computing power available. Hence, things will need to be really really simple at this point. We may need to consider global IoT mesh network segmentation or other pervasive and comprehensively secure forms of IA1 at entry points (how to guarantee complete coverage) or throughout the mesh (how to prevent complete coverage without even the slightest possibilities of evasion).
  • Identities… ?? Where, how to manage the I’s and maintain the I+A1’s privacy, and transparency to the A2-owners ..?
  • How to arrange A2 at all those end points, including the ability to maintain those ..? The dust (or some coarser-grained proxy, whatever) is out there, and can’t easily be uploaded all with the latest A2 tables we’d want – or that is done by some broadcast flash approach which is all too vulnerable for cracked use.

But still, we need something of that kind. And transparency built in to that, too… To ensure No Backdoors and accountability in general, as these cute little hidden holes would be exploitable by all the bad guys (official, and not). By the way, #ditchcyber.

I’m aware there’s more problems than solutions in the above. But you should be aware of the risks of letting them remain unsolved. Your suggestions, please!

And, just so you know:

Maverisk / Étoiles du Nord