Further to yesterday’s post, here’s some sidelines on ‘control’s.
Where typical ‘ORM’ would take risks one by one, and treat them all in the same fashion. Take one risk, see what you can do qua preventative controls, and then .. a long time of bickering and arguing until some arm twisting leads to hap-hazard (sic) implementation of something that could in some weird way be explained to be the intended control so it only just can’t be denied to be, gets implemented till the auditors go away. Onto the next risk. In rare circumstances, already ‘implemented’ controls are also taken into the analysis (sheer quod non) and very maybe some form of interlocking effectiveness is considered. No more than the latter. Costs … no, it’s all about cost avoidance, the cost of unnecessary write-offs and hey what’s the cost of just sticking to some uniformised procedures right? The cost of potentially missed business because the business processes will be so straight-jacketed that clients go away is too hard to establish hence don’t bother.
The result: a gigantic heap of ‘control’s of which the effectiveness … isn’t.
Where typical ‘ORM’ would also take a portfolio approach of actual losses due to mishaps as in the books. Without regard for the secondary causes of controls not being effective (except the most glaring breaches of agreed (not!) upon procedures) and having incurred costs (hinder, sometimes severe, to execution; missed customers) that don’t match with any savings in avoided wrongs, and having no regard for near misses (where, oh joy, write-offs are indeed avoided). Where sheer luck or ignorance towards the unknown misses is in no way excluded, or rather, taken as a sign of being ‘in control’. Procedure macht frei.
Trying to fix this by doing an organisation-wide analysis and establishing the sum total mesh of ‘control’s, may only work in the smallest of situations where eyeballs Mark I work better. Other situations … hopelessly beyond the level of complexity that any humans can handle; technical shortcoming of brains – the presence of good examples of which already is an untenable assumption when looking at the manager class of your organisation.
Result: Yet again, 3LoD is a systemic failure. And heat maps, the same.
Solution: Radical ‘first-line’ risk management. I.e., doing management by its definition of decision making under uncertainty – which is so opposite to all the above circuses that assume total control can be had, with the ideal even of zero remainder risks… If you believe that, why not do the data collection with the fairies? But there is a future in risk management: Inclusion of uncertainty in how plans will play out, when drafting them and taking decisions about them…
To Be Continued. And there’s also:
[(Parador de) Cardona, nicely defended against – nothing anymore]