Tag: controls

Define ‘Risk’…

This should be an easy one, by pointing at ISO 31000 and its definition the effect of uncertainty on objectives. But that same easy def also raises more questions than it answers, e.g.,

  • How to define [ hence | and ] classify effects,
  • How to define [ hence | and ] classify uncertainty (a biggy …!),
  • How to define [ hence | and ] classify objectives,
  • How to establish measurement of effects,
  • How to establish measurement of uncertainty,
  • How to establish measurement of objectives

that all have an impact on, and are impacted by, the definition. Hopefully, I don’t have to elucidate define hence classify, define and classify or establish measurement regarding effects, uncertainties or objectives. I’ve been at the subject before (here and many posts since) so much that it hurts, me too. But still, many won’t listen and remain stuck in their proven (sic) mistaken belief that the World we’re dealing with, can be caught in models to ‘predict’ the future and/or at the same time remain stuck in, by now approaching hilarious, classifications like Basel II-IV’s… or the slowly but steadily outdating of the classical information security mantra of CIA — those three classes of objectives don’t cut it anymore.

For the more advanced reader (approx. 90% by now — hopefully), the question remains: How to define and classify uncertainty, effect(s!) and objectives ..? Standard classifications all had their stab at it, but failed for the fuzzy nature of those phenomena. Some leaned to the Uncertainty side, trying foremost to classify threats. Some, to the effects side with their vulnerabilities-first approach — via the Impacts classification. Some even had Objectives in mind when pondering the downside potentials of loss-of-upside potential, including scour-for-opportunities to any (0-100%) degree. And then, there’s the abovementioned surefire laugh over ‘Event’ driven analysis… yes consistency, completeness and orthagonality remain essential.
But above all, none captured the time-fluctuation confluence of causes, effects, impacts, … [what have we] that all have such unanalysable structure. Due to their continuous nature; contrasted to the discrete nature often but cannot-be-more-false’ly assumed. [If you don’t get the fundamental difference between discrete and continuous phenomena, go study core math in depth, length and breath. Which is helpful against so great many ills of mind…] And due to the enormously-over-three body problem of interactions [link is about grand business not the petty risk analysis kind but the link therein is valid for the above, too].
Modeling in order to understand may work, but only to understand the exaggeratedly dumbed-down model, the conclusions of which if normative are (in this case, there is such a thing as absolute) certain not to apply or work so why bother. Oh, maybe you may bother, to get a feel of your inadequacy. [Note: I don’t feign to be above that. But I don’t allow you to assume you are as that is both a theoretical and practical logical error.]

Yesy, yes, I know; there very probably is no One Classification Fits All, then. But we may dream, and strive for it, don’t we ..? And at least be very, very clear about it — it being the approach we do take, and what it might potentially (with the probability being above zero but certainly being far off 100%) achieve. Aren’t GUTs, like the Standard Model or the hyperdimensional string theories, the dreams that stuff are made of, too ..?
As always, your suggestions, please. And:
DSC_0643
[Just wait till Etna Says Boom. Or don’t.]

T.L.D. Richelieu

A.J. du Plessis, Cardinal-Duc de Richelieu et de Fronsac, a.k.a. ‘Big R’ in quotes-land, was ahead of time to say “If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him”.

Surely, he meant to instate the ‘prove me’ idiocy that pervades the TLD prison found in so many organizations, where regular folks trying hardest to manage, aren’t allowed to because they first have to comply (completely, slave-style) with filing requirements that can only be read to deliver the above-mentioned six lines. If only it were the six lines! Books have to be filled with full proof of having followed each and every petty little rule, that like a spider web was only designed to catch the little bugs whereas the big ones just bumble through.
The joy really starts, for at least some — not the managers but the ‘auditors’ and other improductive on-lookers — when necessity (sic) calls for alternative execution and registration due to customer satisfaction requirements not aligning with the One-Size-fits-the-Universe design of ‘processes’. Where the accused has to deliver a guilty plea with perfect documentation, to a bigoted law. The latter qualification, because it runs counter to the ultimate and ulterior goal of the organization, proven by a deviation being necessary to serve the latter. In client requirement versus framework consistency, the former always should take precedence and the latter is a fallacy, also in view of the ever-faster changing external and internal world, but things are all too often the other way around.

So, “Here, we have followed to perfection a slight deviation from the once-planned process steps, in order to serve the customer better and hence raise profitability” is about all the six lines one needs…

I feel sorry for your loss of innocence (-disguise of evil spirit)… hence to sooth:
DSC_0105
[Intensive human farming; squeeze till dry then dump]

Old, new, borrowed, blue or is it?

Some claimed Über was (sic) disruptive. Others try to figure out how to ‘disrupt’ themselves or their (?) industry. Mostly, the latter comes down to analysis of how things are / are done in the industry, and finding radical improvements.

Now here’s three things re the taxi ride market:
a. Where traditionally, supply and demand happened to be present at the same location in the street, or demand waited for supply to show up, we now have a pre-match. Or hold it: that existed by calling a taxi co.
b. Supply has been upgraded in quality. Nothing revolutionary here; premium services have always been available.
c. Rules as set by democratic society, are circumvented. E.g., rather operational/technical minimum requirements, pricing standards (against driver/customer extortion and surge pricing and similar Hobson’s Choice trapped-demand ploys) and limits to (over)supply, by taxi regulations. In many places, the newcomer just did the outright illegal. Huh, quite a feat but should remain culpable.
d. [I dislike proper counting] There’s a feedback option on the quality from and to both sides. Drivers, and customers. Obviously doing the latter a sizeable disservice they still seem to swallow (possibility for recourse!? legally required per privacy laws, where they exist; maybe not the USofA…). Doing the former a further tie-down into a minion’s position (far beyond what also already existed, called a phone, you know, those things with curly wires?), enslaving.

Now, by my guess, of the above only most minor, gradual differences apply. If nothing at all radical is disruption …

I’ll leave you on the curb with:
DSC_0854
[Disrupted lives, but of the ultimate Honour kind that the above is the opposite of; Arlington Nat’l]

Nothing as powerful as ill-guided over the top Lean (i.e.) self-destruction

Where Lean creates its own calcification — compared to, and evoking, its Schumpeterian nemesis the long tail start-up disruptors sphere of true customer service.
Because, think of it: Lean is about reducing the handling of variance, of inputs, processing, and outputs. But nobody wants ever less adapted products. The Makers‘ Movement is on its way for a reason..! No-one cares for the hyper-efficient execution of ever more useless processes. Oh fine that you’re doing things so six black belt’y sigma-less (sic); nobody will give you a cent for it. As your value would be in the opposite: The attention to each and every individual quirkiness. Ecce homo idolaticus, ecce shrinking spiral, ecce dull prophets

Just wanted to share this insight, though. And:
DSC_0749
[Verrry much unfinished business… ’15 DC]

The Bureau of Chaos, by Theory

As a side note to, e.g. this here masterpiece…:
The tendency of bureaucracies to ever further detail its rulesets, that quickly become so burdensome [apart from other ills, ethically much graver], that is evident wherever (top-down) principles are translated in quasi- (not even semi-) mathematical ways, algorithmically almost, to the level of pervasive implementation, stems from the ultimate control approach to life clashing with the ultimate finest-grain detailed descriptions of the universe. Intentional, and definitely normative, description (in order to control! Man over Nature!) banging heads with extensional description.
Which will petrify, then fail because it creates its own Chaos structure, as described here. Where ‘repairs’ to the System are attempted over and over again since the initial values were not infinitely exactly known, can never be. So, one builds rulesets than behave like fractals (zoomed into), in particular when studied to understand and maybe subsequently fight.

Still, the Why of latter-day Bureaucracies (for once, I tried to avoid the overly negative, accurate and pejorative ethical (and esthetical) qualifications I commonly give to these totalitarian, inhumane structures — the latter qualification because of the Will to un-humanize it all) remains in doubt, as the Man over Nature thing (setting rules, hence achieving predictability) is somewhat less valid than otherwise; a bleak reflection of what we feel is a better description of motive.
[Intermission: Be aware as you were, that the b rulesets might be the spelled-out kind but the unwritten rules- social group kinds are also included.]
Ah, back to Maslow, maybe? Yes,yes, was dissed over the past couple of years; attempted to — and failed, probably due to unawareness of its deep values and not only superficial Meaning. Exceptions, the uncontrolled (by definition, and as the Outside is by definition, too), are threats to the achieved in that pyramid. ..? Though the higher up one is, the better one can handle ambiguity, uncertainty, the unexpected, black swans and Extremistan.

Just wanted to put it down for you. And at at last a somewhat positive turn, I’ll leave you with:
DSC_0023
[Royal waiting (room) for Godot (i.e., National Railways everywhere), Amsterdam — notice the almost perfect horizon .. little less perfect but hanging in there … whoops! of the horizontal orientation]

Comparatively innovative (Beetleroot)

There was this quite simple hack; in (very) pseudo-code: If 2-wheels Then { Rollerbank; diss up some fancy figures; }
Which calls to mind the Problem of BIOS hacking / backdoor/malware pre-installing, as explained here.

On the one hand, a solution is available: At a sublimated information level, encode, as here. In the physical, car, scenario this would be readily implementable as: Just test the emissions, not rely on data produced by the system itself. Prepared By Client is used pervasively in accounting (financial auditing part) as well so consider yourselves warned…
On the other hand [there always is another hand it seems, possibly because this is real life], in the VW scenario there will probably also be a call for source code reviews. Or at least, from the software development corners, there will be. But then one ends up in the same situation as spelled out in the Bury post: How to verify the verification and not be double-crossed? A source code review would be one part, but how to compare a clean (pun not intended at time of typing) compile / image to what is actually installed (continued, without change-upon-install-to-dirty-version or change-at-service) throughout in the field?

Another issue from this: How to overrule self-driving (or what was it; fully-autonomous) cars ..? The BIOS-hack and Car examples show some intricacies when (not if) one would have a need to overrule near-future “Sorry Dave, I can’t Do That” situations. Once no physical controls are left to take over manually, … Arrmagerrdon. Yes, that 2001 was a rosy, romantic, not horror scenario. And demonstrating that at a comprehensive abstraction level, Prevention still trumps Detection/Correction. But not by much, and the advantage will slip by careless negligence and deliberate deterioration efforts.

Oh well. We all knew that All Is Lost anyway, And then, this:
DSC_0142
[(digi)10mm wasn’t wide enough to capture the immersion in this… Noto again]

Roboccountant

Talking about robotisation of the accountancy industry…

  • Automation is letting a computer do the same, or about the same, as was previously done by hand and/or mind.
  • This ‘doing’ is a walk-through of an algorithm. In its simplest form, and for major parts the core of accountancy / bookkeeping processing, this was even parameter-free so no switches needed to be made, no decisions at switchpoints. But sometimes, the switchboard was external e.g., in accountancy rulebooks that were but for (idiot) savants (a.k.a. ‘only some accountants’) near- or completely impossible to stuff in one’s head as part of the programming.
  • The Turing machines have it. But this line is only a display of wannabe Wisdom re core automation / programming knowledge.
  • Computers were freely programmable. And still are, mostly. Robots? Maybe not so much. But then, they’re of the industrial kind welding together your Tesla, or of the ridiculously purposeless humanoid kind. So, why talk about robotisation when it’s more about automation (of the classical label), nowadays called ANI, in the cloud or not..?
  • But then, there’s a lot of interpretation and shot calling and estimations up for discussion, in accountancyland. But that was what AI was supposed to solve! So far, we have only explored the either Expert System pure logic, or the ill understood neural networks deployment, but we haven’t integrated well enough the in-between (or supra) field of Fuzzy Logic. This could bring about a far more absolute truth of e.g., 60% admissibility of some estimation and at the same time a 60% inadmissibility of the same number. Then what — is determined by …? But that’s just how it is today, in the accounting industry, disguised as tough talk on admissibility but in reality styled more like cowardly firing squad pleading.
  • I already blogged about continuous instant report generation based on approved XBRL templates, that could draw on All data available in some organization, to deliver reports with the latest data to just whomever has access to the template/generation engine.
  • With assurance on the templates, and on the soundness of the base data pool generated/filled e.g. by automated verification against external sources, and on the integrity of the XBRL templates and the generation engine — nothing more needed. Initially, difficult enough, but learning effects will diminish the burden.
  • A second intermezzo: Of course all assurance will be delivered to your smart watch (sideline: as if such a thing would ever exist). Just strap a tablet to your wrist and you’d still be out by quite some margin, on screen size required to quickly glance over all relevant data (in one view! as is almost always required to understand the displayed, to have information from the data).
  • What if we find that all fuzzy logic including zero-to-somewhat fuzzyfied expert system’s translations of the hand- and rulebooks, would be implementable on rather simple neural networks, in the order of magnitude of a snail’s brain. No, not hinting at you, but the slime trail left by that Partner you know, is tell-tale.
  • When not if, weaving errors turn up in the rulebook algorithmic… When not if, the translation of True And Fair View into materiality criteria (NOT the other way around..!!! as it would be today but also as is complete and utter stupidity of the sackable offense and life without parole magnitude) will turn out to be faulty.
  • The idea that blockchain based trust will replace the value (if any(more)) of the wet signature — has that concept become sufficiently laughable ..? — of any particular person for reliance, is moot but may have to include indemnity / insurance coverage in one way or another, or is all accountancy (?) fee placed in escrow until a pool fund for expected claims is (over)filled?
  • But, will blockchain trust not go the same way as reliance on open source software ..? Will it not fail in light of the Bystander Effect ..? Then, exploited by the worst, first. As usual.

Well, just some touch points. The main one being: The rules are algorithmic, almost by definition. Until now, there was no good automated engine to draw on, but the inroads Watson is making in the medical field (oh how comparable!), show how close we (well…) are to being outflanked by … Hey lets have a contest about the name this first Roboccountant will have …!
As long as we don’t fall for the trappings to believe in any kind of child’s hand is easily filled expectation of a humanoid robot but rather one that has no physical existence other than its bits spread out over the global infra.

Oh hey before letting you in the dust, to clear up, herewith:
DSC_0294
[Not evil but Ibla]

Should I go or should I go – Maps out of bounds

Oh-kaye, was on my way yesterday to this seminar on IoT — which is irrelevant info (is it?) but whatever — when I turned to Maps for final approach instructions, appropriate as I was, relatively speaking, props traffic i.e., by bus for once and on foot. The address: Clearly, Schiphol Group at Evert van der Beekstraat 202. Which Big G did find — far off from the ‘heart’ of EvdBstreet I had looked up earlier. As I guessed to have to walk only some 200m, I reverted to walking ‘back’ to the central terminal (in the rain, mostly), guessing the location would be in or next to the crew building. Arriving there… no sign of any ‘202’ or even of ‘Group’. Helped in a very friendly way, I was sent up the office block next to the old control tower, and from the 8th floor big window view was pointed… to the other end of the airport office area… where I had been, 200m off but now a full (English, or US of you’d desperately want) mile away.

Which brings me to the point (if any): At what point does one decide a whole seminar isn’t worth the effort anymore; time and travel spent being sunk cost and some more of both is required but also one’s already beyond suitably late …? As it happened, I had a couple (like, three) of these moments, time aplenty to have them, thanks to Google Maps… But still, you know that feeling, and how did you decide ..?

EvdBeekstraat202Schiphol
[Yes in the end I put in yet some more bus fare and did go; it turned out to have been very much worth it, due to ISSA NL organization]

Starreveld in the Information Age (industry)

@deKokPieter or others (or just one of his interns; grad work?) may have to help me out with yet another crazy (not (?)) idea of mine:
There was (is?) this great theoretic of accountancy called Starreveld, with his value cycle typology for, literally, every kind of industry and on close reading, even sub-industry. Given that we live in times of information processing factories, how would they fit the model or how would we have to read / translate / interpret the model to ‘work’ in today’s day and age?

Since the information processing industry, being almost all of the world’s service industries including (almost) all public sector organisations, works in an extremely devolved form of hyper-mass-single-piece production including storage, and how do we translate e.g. stock type and count to ‘information’ and ‘data point’?
If we take this approach, i.e., from both sides, being from the current industry operation side to Starreveld and the other way around, do we have a complete mapping and what do we learn for control and audit ..?

Just putting it out there. This, too:
DSC_0418
[That little theatre of note, I mean Noto]

PIA is KIA and KYD (?)

Since the whole Privacy thing has gained new traction with both the European Data Privacy Directive regaining (some…) steam and the European Court finally deciding what all with any bits of brain already knew i.e. that ‘Safe Harbour’ was a sour joke (to put it mildly), I realized, when working on a presentation for a forum centering on/around Identity and Access Management, that any Privacy Impact Analysis work comes down to two things; an objects-side analysis in the form of Know Your Data and a subject-side analysis by means of Know your (authorised OR actual) Identities and their Access, with some Privacy By Design thrown in at the solutions end.
Since I just like sentences of the right length, being entities that contain a discrete but complete set of logically coherent and united concepts.

And for those of you in the know; the above contains all there is to Know. Sort of. Maybe add in a bit of this (in Dutch; from the FD newspaper), for implementation. For a lot of implementation…
And, things may change in the somewhat near future with the advent of drones, IoT, robotics (humanoid or abstract), and ANI/AGI/ASI, in the IAM sphere alone. Just read up your huge backlog on this blog, and elsewhere as I cannot really summarise it all here…

I’ll give you some time space for that now. With:
DSC_0305
[At the Ragusa Ibla end but of course you knew]

Maverisk / Étoiles du Nord