Before we dive back into Deming later this week, I wanted to comment on some discussion we’ve been having over at Chandler Howell’s NBFAC Blog.  Over at Chandler’s podium for all things risky (which, it should be noted, is the original IRM blog) - there’s some discussion about GRC and their meaning and role and purpose.  In my usual manner, I made a hasty, didactic statement to be taken as fact - that Governance and Compliance are actually prior information for Risk Management, and not the other way around (which is an unfortunately all too common phenomena in modern ERM/IRM practices).

Chandler offers an explanation as to why I would say such a thing:

When people are in compliance, they are implicitly at our accepted level of risk. If they get too far outside of tolerances, then we now have a risk that must be managed. But without knowing what our accepted level risk is, we don’t know which risks can be accepted and which risks must must be managed to that level.

Hence, Alex’s observation.

Which would be awesome if I were really that smart.  Not that what Chandler is offering above isn’t true, but, as I’m prone to do, I reached the same conclusion in a much more circuitous (and unnecessarily laborious) manner.   But, it is kind of cool when two approaches arrive at a similar conclusion, so here we go.

GOVERNANCE

At the heart of Chandler’s excellent posts (do go read if you haven’t) is that question of definition - specifically about Governance.  Chandler offers a good one there on his post, I operate from a more simple one:  Governance is the verification of performance.

Think about controls.  Compliance tells us whether or not our system of controls (or the control itself) is the same as some standard.  Compliance tells us nothing other than a binary “existence” statement.  It is a belief statement about whether or not we have what we say we have.

Governance, on the other hand, verifies performance.   A Governance function, done well, creates a belief statement that we could call Assurance (it could be more accurate to say that the act of Assurance is the statement of evidence for Governance, perhaps).  Governance (or the Assurance) is “are we doing what we say we’re doing” with “what we have” (from compliance above).

So far, so good.  As Chandler says, these are two sides of a coin.  So why do all these folks throw in “risk”, “risk analysis”, and “risk management” into “GRC”?  Are we risk folks just the awkward third wheel in the bizarre mating ritual between obsessive-compulsive  accounting approaches and IT micro-management efforts?

If you let them have their way, yes.

Otherwise, we risk folks are much more important.  We are the “So What?”

——————————————————————————–

IT Security guy:  “I have an ISMS and I’m doing it well!”

Business person:  “So…?”

IT Security guy:  (Awkward Silence)

——————————————————————————–

You see, risk management is the translation of business effort into value.  Compliance and governance are an expression about the existence of and quality of the business effort.  But there is no statement of value.  That’s where risk comes in - fed by the G & C belief statements.  In fact, there is a direct translation of how G&C help us quantitative risk folks that is real exciting for me.

You’ll forgive me in the past for droning on about Bayesian approaches and Subjectivist approach being more intellectually honest than the Objectivist and so on and so forth.   But I did so (and do so) because it’s important and it makes sense.  You see, when we articulate risk, we’re really articulating a belief statement.  Now in any belief statement, the subjectivist acknowledges that degree of uncertainty (thus they are more intellectually honest than the objectivist who ignores that uncertainty by simply proclaiming their data “empirical”).  Since we, in IRM, have to take a more subjective approach (our data isn’t so hot) we have some degree of uncertainty we must account for.  For our controls, our metrics for control strength in FAIR, you know where we can get evidence for degree of un/certainty?  Bingo! - Governance and Compliance belief statements.  The business value of G&C is that they are prior information we should be using to set our “confidence” level around risk (in RMI’s IRAA software, “confidence” helps set the shape of the distribution we use in Monte Carlo simulations).

This approach (G&C feeding R) is backwards to how most people see it.  Most professionals see R serving G&C efforts.  Your average Joe goes out, looks for areas where IT is out of “compliance” and then tries to use risk to calculate the business reason for getting back into compliance (how the ISO thinks of risk management, for example).    I hope you’ll understand why I believe this is completely backwards.  No business should give a rip about compliance to SOX or PCI or GLBA or ISO 27001 certification or anything except as “compliance” to that something has value to the business - in IRM, how compliance to those things reduces the probable frequency and magnitude of future loss.  If there were no probable frequency & loss due to a state of non-compliance do you think a red cent would be spent?  Of course not. And nor would we care if we were performing those things that made us compliant in an efficient manner.

Now later on, we’ll talk about what this means for ERM/IRM the CRO/CSO and IT Audit.  But for now, question the way everyone thinks about how GRC works, because it’s not a proven hypothesis.

Posted on February 26