Category: ERM, GRC

Ni Dieu ni maître …?

On the non-existence of ‘governance’.

Suddenly, I realised the full truth of Mitzberg’s dismissal of ‘governance’, since the traditional management would fit the bill perfectly but it has devolved to nothing more than a numb sort of administrative-clerk role (if you’ve read it and don’t understand, re-read it until you do).

Because, ‘governance’ isn’t anything. That what is assigned the ‘governance’ label, is nothing, literally and figuratively, and in all other ways nothing, more than plain good old management. Those who need models to do that, proof ex ante to will fail at their job.

Some of you may have heard me whisper, say, yell, over the past decades, that ‘governors’ are just a bunch of calcified obese that got stuck in their place and for mortal fear of being found out, they’ll mumblebluff their way through anything, anything, thrown at them. Zero, really zero, control over actual affairs, zero understanding of how shop-floor level work (the horror!) keeps the whole house of cards afloat, zero understanding of the treacherous nature of the false prophets deployed as ‘managers’. A few, a precious few white crows… the masses of them (all), just black. Inert.
If all ‘governors’ would disappear at once, wouldn’t society’s productivity shoot up through the roof ..? Wouldn’t actual managers step in and do the little bit of steering that’s required? Wouldn’t they disregard any of the ‘managers’ that (would) panic around, pushing them back into clerkdom ..?
Sigh.

One can dream, can’t one ..?

DSCN0962
[Which one is it ..?]

Top-down fantasies

And so, the emperor was shown to wear no clothes…
One couldn’t even blame PCI too much; their standards (meaning: as in uniform things, not the flags one can rally behind) actually do include pointers to deeper (and common-sense) actual infosec control implementation. But not throughout…

… nor systematically. As written before, and in many other posts on this site: The Information Security “Management” (quod non) “System” (quod non) was trusted because upward reporting on its efficacy showed ‘satisfactory’ or better – without realising that its was just deafening and wholesale bureaucratia’s babbling.
If you believe in compliance reporting and similar fairy tales, you’ll believe anything. How much misery must be heaped on all that can’t help it, and all that might have, before the fear of independent thought is restored in particular where it’s needed…? We may get philosophical here. And/or practical. Or whatever. It’ll takes a book(s) to describe it clearly enough for the unconvincable to be convinced or at least to get them out of blocking positions. They truly are the Maginot line of organisatia.

And a picture to close off for now:
DSCN2894
[Still somewhat light, though sturdy; Enschedé]

Rule-based rules rule, babe

First, a picture for your viewing pleasure. You’ll need it.
DSCN5208
[OK, noga I mean toga I mean yoga class, Bryant Park]

Solliciting your help in trying to find the lapse of reason in the following:
Rule-based laws, or regulations, or organisational procedures, aren’t always bad. There need not be a principle-based approach always certainly not since (fact) that deteriorates over time into yet another bucketload of rules every time again for clarity [which proves it just is too difficult for the great many, to think, to only need the principles and act accordingly…].
There can be simple sets of rules… here and there … IF those rules are the precious few guiding rails needed, to keep everyone in reasonable alignment. Brushing off the sharpest edges, and standing ready in the background when something might go heywire.

In organisations throughout. Anything one can dream up, may be left to the specialists (if…), who (should) know best and need not be micromanaged.
Who is it that thinks to be better at rule-setting than the ones in the midst of turmoil in the first place ..? The compliabully, yes, but kick back (Frappez! Frappez toujours!) for freedom. The biggie rulesets derived from principles or not: They squash your freedom of action, your independece, your autonomy.

Take a look at societal rules. The law books have a few very abstract principles, and a great many very detailed rules… In case of doubt, courts come to the rescue [give or take that even there, one cannot be 100% perfect always]. Normal people using their normal brains, will not overstep the line.
Why can’t subsocieties like industry sectors function the same way? No autorities there, to govern the lot? Too many free riders and other scum, maybe; then step in from the outside and wipe it all clean (including the internal cleaners that didn’t perform – claw back their income in full as they didn’t deliver on their promises. Bad luck, such is life throughout the centuries).
Why can’t subsubsocieties like organisations function the same? Same. Would wipe the top half of many an organisation; silly bureaucrat mice walking on the bridge next to the elephant and claiming how much noise you make.

So, would we need oaths per professional association or per industry sector? No. By having been born, one has sworn to uphold the law that includes the lesser rulesets that any halfbrained dunghead could know to have to work within.

Postquote

Just a rip from Seth Godin’s blog:

Entropy, bureaucracy and the fight for great

Here are some laws rarely broken:

As an organization succeeds, it gets bigger.

As it gets bigger, the average amount of passion and initiative of the organization goes down (more people gets you closer to averge, which is another word for mediocre).

More people requires more formal communication, simple instructions to ensure consistent execution. It gets more and more difficult to say, “use your best judgment” and be able to count on the outcome.

Larger still means more bureaucracy, more people who manage and push for comformity, as opposed to do something new.

Success brings with it the fear of blowing it. With more to lose, there’s more pressure not to lose it.

Mix all these things together and you discover that going forward, each decision pushes the organization toward do-ability, reliability, risk-proofing and safety.

And, worst of all, like a game of telephone, there will be transcription errors, mistakes in interpreting instructions and general random noise. And most of the time, these mutations don’t make things wonderful, they lead to breakage.

Even really good people, really well-intentioned people, then, end up in organizations that plod toward mediocre, interrupted by random errors and dropped balls.

This can be fixed. It can be addressed, but only by a never-ending fight for greatness.

Greatness can’t be a policy, and it’s hard to delegate to bureaucrats. But yes, greatness is something that people can work for, create an insurgency around and once in a while, actually achieve. It’s a commitment, not an event.

It’s not easy, which is why it’s rare, but it’s worth it.

And a picture for your viewing delight (?)
DSCN6351
[The epitome, unfortunately]

Continuously intermittent

Why processes don’t work, at all: The blocks. The activities scheduled, often only throughout the year, in sequence. As if … Reality will throw all activities at you every day, as reactions to incidents and panics.
Along the lines of “Can’t have a massive data breach today, because this first quarter we’re only supposed to do risk analysis by the book – unsure if by Summer, we’ll have finished this as everyone is learning the first baby steps of it in turns. Come back per September and we’ll have a result that no-one of us recognises, or anyone else for that matter, as anything approaching a serious result, and no-one will know what to do next or have budget for it.” (Remember, the 15.5 risk ..?)

Practice may sober you up. Then, auditors come around. “Check. We did ask about this. Uncheck. You failed to do the irrelevant. It’s nothing personal, but your head will roll.”

Oh well, Mintzberg had it right already.

Check; need to write this up in some white-paperish long-form post. Closing off now, with a picture for your viewing delight:
DSCN6305
[Ah, what a monument, what a museum!(piece) to cherish, to search for]

Selecti(n)on

DSCN1197
[No room for downstairs personnel]

Where are the leaders?
I don’t mean the hopeless hapless clueless bureaucrats that label themselves such.

I mean the kind that opposes the following:
Every time again, when something goes horribly wrong in society, it turns out there are few to blame, if any, after careful search and much (self- and friends-)exculpation. It appears as if (read: when) all societal structures, regulatory and oversight structures in particular, are just set up to spread accountability. So that when all are accountable, none are accountable.

Quod non! However, the meek, that shall be eternally butchered in hell for their inaction against Evil (i.e., bureaucracy and its drone executioners), their complacency and their numbness. Is the latter a definition of blindness to the real world?

E.g., in the world of temp staffing, in particular re freelancers, contractors, external consultants. Some department has a need, however inexact the requirements for the solution. The in-charge must deal with HR, and Procurement (in all their shades and clourings, and many other departments probably too), to get a slot filled. HR and Procurement have NO clue whatsoever, are only marginally capable of posting a check box list from some outdated, never-have-been-valid longlist of randomly assembled requirements.
Candidates apply. The ones that check all the boxes (currently, often automatedly, shutting out even more interpretation), get the job. The ones that fulfill the original need, don’t. All now must be satisfied for procedure was followed – to death. The problem owner isn’t since (s)he gets only the dull, the procedure-fitting, not the original, the fresh, the new, that could actually create (new, innovative) solutions to the ill-defined problem. The true candidate isn’t because (s)he’ll never be able to deliver the real solutions.
How can you comment when HR and Procurement just did their jobs ..? When in fact, they didn’t. But theirs was not a lofty goal or objectives, theirs was just the mincemeat targetlets. Operation successful; patient died.

And don’t start on the financial sector… And every business failure in between.

Or do we first need to revert to common sense in principle-level target setting, over just the quarterly figurelets..? This may not catch on quick enough to prevent the mob from raiding the regents’ houses… (as here (Dutch)).

So, where are the leaders that call this crap for what it is, fire all those that refused to think, and instate and require direct comms wherever possible …?

Frameworks, the inventions for …

DSCN5676
[Sturdy volume, i.e., Rotjeknor]

… for hanging.

Most unfortunately, after the demise of SOx et al. (as in this and many other places) there still hasn’t been a decline in interest for ICT management frameworks.
Which is bad, because

  • The Odies of this ICT management world, that is, both the ‘managers’ themselves and all the hangers-on like consultants, internally and externally, compliance freaks, auditors, etc., will still require yet more implementations of ‘new’ frameworks that, luckily, are so much blown out of proportion that their giant bubble content has diluted to a level both easily implemented and ever more quickly demonstrated to be failing the achievement of original objectives. Much ado about nothing.
  • [But after so many rounds of failed framework implementations, why a. do you not realise that it’s stupid to even try, b. do you not fire all that were involved as they apparently didn’t deliver ..? The latter, as continuous renewal and improvement must have been part of the implementation all along, and that hasn’t happened …!]
  • The strive for framework implementation still takes all the resource away from growth avenues, to calcification practices.

Get over it! The world has never been more unstable than [pick your most recent timeframe you consider relevant, when less than one year …(!)] … I mean ever before. [Sorry for the warped sentence; you get my drift.]
Which means that the cozy cold (!) sitting still like a rabbit in the headlights that frameworks will coax you into, will not carry the day if it ever did (do you need the spoiler? : it didn’t). By stifling any other, maybe actualy innovative, useful-in-prepping-you-for-tomorrow projects as they get implemented, and afterwards in particular if they’re successful.

Would I hence advise to use frameworks?

  • I don’t, if you’d want to take them as more than rough guidance. Use your brain! Frameworks are what they are, they’re not filled-in voids in between.
    And/or I can, and want, to help.
  • I do, if you want to crucify yourself (sic) on them. Not trying to be harsh, but good riddance.

OK, now have a look at your own industry. Finance including (ever more) central(ised) banks, anyone ..? Ever more attempts to regulate, to smother in totalitairan bureaucratic control …? And still wondering why and how the disruptive greenfield ops take over?

Mehhh Practice

Mehhhdrid
[Mehhhdrid?]

This appeared:

Nicely summing up a widespread complaint. E.g., against ISO 2700x. One should be forbidden to call those ‘Best’, as they are average, at best.
Because they’re adopted by the ones with no imagination of their own so implementations will fall short of average, thus in mass lowering the average even further.

And Best has never been Best in the first place. ‘tWas a compromise, as it had to cover so much, over so many contributors at its inception already. Remember, BS7799 ..!? And on and on in review rounds, committees decided over changes. A camel is a horse designed by a committee. And it all had to be applicable to as many industries as you can dream up. Another flattener par excellence. Standards work, where there is little variation required. Here, much variation, tailoring to each and every implementation over and over again, is a prerequisite for any success. I might continue.

Luckily for you, the new ISO27001:2013 of last October, is a huge improvement…. To the panic of the knights of busywork, one cannot anymore rely on following the herd as described, prescribed, because, at last, the prescription tends to Use Your Own Brain. Principle-based at last ..! For some elements. Tuning required, not by the (C)ISO (office) (only), but by the Business itself. Oh dear! The implementation efforts… Consultants’ dreams.

Well, get the lowdown of this, from experts [disclaimer: don’t own anything of them]. Just wanted to post the tweet and my take on it.

The librarian wave

000013 (17)
[Had this as my cubicle, a long time ago]

There seems to be a silent undercurrent wave of librarians entering our (not) field of information processing. If you think their thinking might be stale, think again. This here piece, for example, is clear and bright in its contributions towards better …, well, calling it flatly what it is, ‘data’ management. Flatly, as that’s what one gets by approaching it from the IT side only. ‘Processes’ add only so much. I.e., so little.

Just one pic from that blog post to demonstrate the clarity of thought:
1_yFGlNKuOFQ8_X_14pODgwQ

How’zat for clarity ..?

I’ll pick this one up in full, later, when extending the stuff on ‘information’ in light of the one overarching Book on it all that I still have as a plan, if only I had the time to work on it full-time …!

Maverisk / Étoiles du Nord