Is it “disc” or disk”?
I digress . . .
I am sure that you, like me, get into many discussions about “policies”, “controls” and “compliance” in your organization.
These things are often seen as inalienable concepts in their own right, even “altars of worship” in many situations.
This week I had a regularly quarterly review with one of our customers and we stumbled into this topic and discussed the importance of taking time to understand the context.
This representation of that context came up in conversation, and we named it the “Disk of Risk”.
When discussing a policy or a control, we need to understand what risk we are trying to mitigate.
- Risk is about the major themes of “what can go wrong”.
- Policies are what we design to mitigate those risks.
- Controls are the mechanisms we put in place to ensure these policies work in practice.
- Monitoring provides our assurance that the controls are working, and the risk is being managed.
- Action is the art of decision making to adjust direction and drive continuous improvement.
When we get into a policy or control discussion, always ask “WHY?” . . .
It ensures a focus on business outcomes, continuous improvement and helps avoid being led down the path of irrelevance.
Even better, from time to time, we find policies and controls that are outdated and no longer appropriate for the current business or technology environment.
Business is not about “avoiding risk” but managing it.
We can’t always choose the weather, but we need to make best decisions to navigate the prevailing conditions to reach our objectives in the fastest time (lowest cost) achievable whilst keeping safely within the parameters we set.
It is all about “Risk Informed Decision Making”.
And that is all about context . . . .
Thanks for reading . . .