Category: ERM, GRC

Cycle comments and questions

A certain commercial advisory club still releases its hype cycle. Which is good news; to have some authority with some authority (your mileage may vary) providing us with some comprehension and comprehensiveness [OK I’ll stop now] about the What’s Buzzworthy.
Still, being … in the field / Dutch / obnoxious, pick any; I’d like to comment…:
(Here’s the August version from … somewhere; ™ and © or what is it, acknowledged)
7330eb56-2177-11e4-89b4-12313d239d6c-large

  • Virtual Personal Assistants – 5 to 10 years out (of the plateau of productivity) ..? That’s optimistic ..!
  • Brain-computer interface: If one would consider this to be about ‘intelligence’ connection, then maybe. But there’s also connections like hearing, et al., where a 5 to 10 year span may be on the ‘long’ side.
  • Human augmentation: See the previous. Or aren’t definitions sufficiently orthogonal?
  • Affective computing: Hm, optimists.
  • Neurobusiness: Same.
  • IoT: Yes, at a hype peak. Maybe (much) sooner, to be at the plateau.
  • Cryptocurrencies: Hoping for a swifter spread and adoption…
  • Big Data may be further down the slope already. Or is that from where I / we are ..?
  • Gamification, augmented reality: Hopefully and quite possibly, already reality somewhat earlier.
  • The rest of the bunch … will they not come sooner ..? Of shift shape (‘pivot’) to be unrecognizable from their today’s hype labels soon?
     
  • And a final one: Would anyone have a similar overview of … one year, five and ten years back? Just to see what happen in the meantime; to establish a ballpark reliability figure. Would be fun, too.

I’ll leave you with this’all. Your comments are welcome(d). If you like to dream.

Diversified Reporting Assurance

Yes, let’s call it DRA. The new wave of “accountants’ statements” in the wings.
[Warning: for those not interested in accountancy, the rest will be boring. Or, let me restate that: very boring. Or even deadly boring.]
Continue reading “Diversified Reporting Assurance”

Be quick at Making or be like dead

When I noted an article (is it?) on Baidu Eye (all of you will certainly know by now what I mean…!?), it finally dawned on me: ‘we’ in the West (let’s say for purposes here, the 300M of Europe plus the 300M of North America) just don’t do enough rapid prototyping yet.
Because that’s the trade we have left to e.g., the Chinese when ‘we’ shipped our (rapid) product(ion) development to them.

Now, the sweatshop structure that sprang up to the side of that, is one huge landscape of rapid prototyping facilities. Which, if not ‘stealing’ (don’t start the legaleeze that’s way too dependent on cultural notions) product ideas before launch, or just slapping a different brand tag after (over)production, allows copycatting of products (commonly, of less quality or functionality) or of sparks of innovation (not taking a product as ideal model but as inspiration).

This somewhat fits the model of the Maker movement that springs up in the West. Is still springing up a bit, here and there. Was mentioned here and there, sparsely, and may have whittled into almost-oblivion already again ..?
Whatever; the Maker movement has a different focus, not on extremely-rapid prototyping to mass produce, but to keep it as close to one-offs as is feasible. Quite an opposite horizon!
And also leaving a vast playing field open for … others.

How can we change business / production culture to get, beside a Traditional and a Maker movement, a Happy Go Lucky Production movement where improvement-on-the-production-fly-cycles are much more rapidly learned from? (Much faster even than e.g., Samsung’s (and others’ like Apple!) fast-introduction-perfect-in-next-versions approach. But also taking this into account, for this reason!) No, just shouting around about tearing down bureaucratic rules won’t work; those rules are there to regulate the current rogues (big business, oligopolising everywhere) – I mean a real cultural shift. Is that what’s happening (or should happen) in some backwater country now that the 0.001% with help from the 1% has killed the previous mainstay power the Middle 80% ..?

Seriously, how can we rig, ground, lay the foundations, for such a Third Way ..? To get, e.g., this sort of initiatives far more widespread.

[Huh, since I wrote the above (couple of weeks ago), this came to light…]
[And this, the caveat you wanted …]

You (somewhere in the #=0 to #=3 range) have been such kind readers to even visit… hence I’ll leave you with:
DSCN7516[Freedom to consume; the mediocre! – Good, more authentic stuff, close by but elsewhere]

Managing Fortuna’s Risks

On how Risk Management is self-defeating… or just something one has to do while Life has other plans with you(r organization).

First, the übliche picture:
20140813_154840
[Shadow (play) of Dudok, Hilversum again of course]

First, the Defeating part. This, we hardly discuss at length, full enough, but when we do, it’s so obvious you understand why: Because RM is about cost avoidance, even if opportunity cost avoidance. Which makes you the Cassandra, the Boy Cried Wolf of the courtiers (sic). It’s just not interesting, not entrepreneurial enough. [Even if that would be pearls before swines…]

Second, this is why it’s so hard to sell (no quotes, just outright sell for consultancy or budget bucks) the idea of RM to executives – they only see the cost you are. They don’t see themselves as delivering something if, if, if only, they had integrated RM into their daily ‘governance’ (liar! that’s just management!) / management. They don’t want to do anything. They just don’t understand to do something that doesn’t show to be effective even if others for once see no harm (though the others will not even care to flag the kindergarten-level window dressing that’s going on with the RM subject; too silly that, to call out).

Third, this happens not only with ‘boardroom’ RM (~consultancy/advisory), it has been well-established at lower ranks; all the way from the mundane IT security, Information Security, Information Risk Management, Operational Risk Management (where the vast majority of organisations don’t make anything tangible anymore), including the wing positions of, e.g., Credit and Market Risk (which are in fact, with the visors to mention, the same as the previous!), to Enterprise Risk Management altogether.

Fourth, we tie in Queuillism. The Do nothing part almost as in Keynesianism where in the latter, future-mishap prevention should be arranged during the years where government intervention wasn’t required as such. As in Joseph’s seven fat years contra the seven years of famine (Genesis 41). How does this reflect on RM? Would it not be just BCM in its widest, enterprise-wide sense? Isn’t that what ‘management’ is about, again..? Just sanding off the rough edges and for the rest, give room to the actual stars, the employees at all levels, to let them bring out their best – so exponentially much more than you can achieve by mere, petty, command & control. You raise KPIs, I rest my case of your incompetence. And this goes for governments even more. Just enormously expensive busywork.

Fifth, finally, the fourth trope points into the direction of Machiavelli’s Fortuna. Which was also covered by Montaigne, of course. It doesn’t matter what you do, in the end, Life has other plans with you. Sobering, eh? Oh but again, you can shave off the rough edges for yourself, too. Just don’t think in the end, that will matter much beyond some comfort to you. Katharsis, and move on.

OK, since you held out so long:
20140813_154800
[The same, from another angle]

Security accountability: We’re off

Remember the Vasco i.e. Diginotar certificate breach scandal ..? For the many that don’t read Dutch easily enough, the gist of this court decision is that the previous owners of Diginotar are accountable for the damages to Vasco following the breach since the previous Diginotar owners hadn’t secured their systems well enough.

There’s a lot to be said here.

  • E.g., that the security lapses could have been known. Due diligence …? Well, the PwC reports were all green traffic lights, at the procedures-on-paper level. But a couple of years before the take-over, already a third party (ITSec, which I know for their good work [disclaimer: have no business relations]) had notified Diginotar about shop-floor level deficiencies. That remained uncorrected.
     
  • Add to that, that actually, the previous owners themselves started legal claims. Because a major part of their sale proceeds were still held in escrow, and they wanted the monay. Vasco filed a counter claim; logically, and won.
     
  • Also, the auditors that had time and time again ‘assured’ the security of the scheme (and don’t get me started about limiting the scope of such assurance in scope vagueness or in the fine print!), haven’t felt too much backfire. Yet, hopefully. Though recently, the same firm announced an initiative towards a new, proprietary one can guess, security standard. Right.

So, are we finally seeing accountability breaking through ..? I already posted something on the Target Cxx stepdown for similar security lapse(s). Now this one. The trickle’s there, let the deluge follow. That‘ll teach ’em! And of course, generate a humongous market for backlog bug remediation, from the software levels up through controls to governance levels…
Even if that would stifle innovation for a while. Would that be a bad thing; having only the real improvements breaking through and not the junk ones ..?

OK then, now for a picture:
DSCN0358
[Monteriggione security was effective, until not, then abandoned as control approach… they did, why not all of us today?]

Mo’Data, Mo’Problems

Some time ago, I was triggered by this tweet (by @meneer; no surprise in that):

that somewhat-translates (i.e., manually, however clunky still better than machine translation as that doesn’t get Dutch unstructuredness…) to: “Bizarro weather picture again: forecast #somechannel/app from the South-East to the North-West, #someotherchannel/app from the North-East to the South-West” referring to some predictions about clouds and (turned out quite torrential) rain passing over the minute geography of the Netherlands.

And another about this article – that explains, in a more scientifically styled prose, that having ever more data makes it ever more difficult to connect the dots you’d want to connect…

Both of which are poignant reminders that:

  • Big Data is not a tool but a mere tool, to be used very carefully even (or in particular?) by the few that have really big data sets. If you collect focusedly, it can hardly be called Big, rather ‘Smart-‘ or just plain ‘data analysis’, no more; if you collect as much as you can, you are destroying objectives achievement – the required method destroys the results;
  • If, very big if, Big Data would result in anything, why haven’t weather predictions improved ..? The enormity of data that had already been around in that arena for decades, will have exploded over the past one, and should have resulted in far better predictions instead of the worse that the predictions seem to have gotten. And we’re talking patterns, not even the zoom-in to tinier details that one commonly associates with BD (the major patterns are usually skipped for being too well known already). Hence, what hope would we have for other areas..?
  • Reliance on apps for info is getting more and more dangerous, almost literally so far, but in an indirect sense, already, widely. What if… when now as already well-known, some search giant might have monopolized Search and skews the results you get…? That would theoretically be a disaster. Oh.

So, think again, be ever more critical of Shallows app usage and reliance… I’ll leave you with:
??????????[Lucca: ‘modern’ Italian parade]

Buck shot or machine gun; assurance

With news about the slow but steady adoption of SBR everywhere (but mostly on related sites…), it suddenly struck me that with this Standard Business Reporting we see a move from single firings of buck shot to the machine gun age in assurance.

First, this:
DSCN4309[Yup, actual business lurking in the background. Date this pic]

By which I mean that until now, and for a short bit of time to come, accountants of the annual accounts certifying type issue(d) single assurance statements about a whole number of individual reporting items; in conjunction with each other but hence (!) also about all of them individually. The single blow of much data, in multiple but somewhat related directions.
Now, with XML, and XBRL as a common ‘subset’ taxonomy definer, and SBR on the back of that, we suddenly have the possibility of firing a great many but single data points in all sorts of directions. Where each bullet data point has to stand on itself, and be assured separately, aimed at, well, a single recipient.
Which makes a change necessary from the cover-all assurance of yesteryear to a single data point assurance thing of today. Where one cannot rely on context – or the context is re-created by a recipient collecting the data points they want …! – one has to provide assurance on … does this end up with a system-of-production assurance thing again ..?

Hope not. Since that is too far off of any real application. Since assurance of systems misses the vast enormity of details that matter when one wants to give assurance on … details. What then? Both. Both systems assurance overall, not circling on the ledgers only. And detailed assurance per data point or tinysubset. With SBR for target audiences as intermediate [stage?].

And, will we not need the ‘traditional’ assurance over annual reports anymore …? Well, we will, for sure as we seem to need more than ever true and fair views of how business in general was conducted, to establish credibility of management control for the (near) future. But then, such reports would be enormously much more qualitative by nature. To be qualified in a very non-quantified since by second opinion givers like accountants. [And/or others …!?] What lyrical prose we’ll have, what market push to cut the cr.p, what difficulty of accountants to grapple with the auditees’ sheer poetry enlisted to window dress.

Moar will follow, especially re single point assurance…

Crowdjustice

Wellicht zullen gevestigde belangen (weer ten onrechte … DNB-kneuterpietluttigheid-waarschijnlijk-uit-doodsangst-uit-onbegrip (hoewel dat d… terecht, en gewenst?) vs California State…) gaan waarschuwen voordat de vergelijking met de huidige feitelijke situatie voldoende fundamenteel en objectief is gemaakt, maar dit is natuurlijk een interessante nieuwigheid; crowdsourcing justice. En voor degenen die jury-rechtspraak iets engs vinden wat wat de boer niet lust, leze nee bestudere dit werk eens.
Plots komt zo veel samen… Vreugde alomom zo veel culturele vooruitgang.

[Edited to add: Zie de post van 25 augustus 2014…]

En dus een vrolijk:
000013 (17)[Kan dubbel zijn, swa]

COPE a Nope

Hm, this piece seems to miss the point entirely…

Because the move to BYOD had/has (sic) nothing to do with operability. But all with power. And speed. COPE will be much more of the same, but with an even more inexplainable awkward speed/flexibility/functionality trade-off. With nothing of (e.g., the European current and forthcoming Regulations’ and practices’) privacy in mind, just pipe dreams of regained totalitarian control. Heh, if that floats your boat, everyone’s including or except your boat has left the harbor because ships are safe there but it isn’t what ships are for. If you can’t see the analogy … you’ll be sunk.

And then, there’s a pic:
000004 (5)[Great for learning gaff rigging but for serious yachting…?]

Maverisk / Étoiles du Nord