Business not as usual, business as business

#governance?is an ongoing effort that requires your organization to implement assessments in both a bottom up and top down fashion.

#risk?is more than just the bad things, risk is also opportunities where you are prepared to have an advantage or benefit from the opportunity.

To effectively talk about risk, we need to define a few things

Condition?– state of being that desirable or undesirable (or both) effects on objectives?.

What conditions are in your environment that are business essential?

Likelihood –?estimate of chance that something may happen

(Take a quick look at the word estimate)

‘determined, appraised’, from the verb?aestimare. The noun originally meant?‘intellectual ability, comprehension’?(only in late Middle English), later?‘valuing, a valuation’?(compare with?estimation). The verb originally meant?‘to think well or badly of someone or something’?

m.apple.dictionary

Here’s where you’re going to make an estimate, the working groups involved should understand your stakeholders.

Impact-?Estimate of how an entity will be affected by something that might happen.

Get better insight by asking your teams, what do you work on and if it stopped working what are the cascading effects?

Velocity?– estimate of how quickly something might happen.

*estimate* – ‘to think well or badly of someone or something’?

Timing –?Estimate of when something may happen

(there’s that word again,?you really need to ask engaging questions to your teams)

Today, Tomorrow, This quarter? When you’re about to go to production? On your system that is configured but there is no documentation? Holiday? Do you have a retainer? (that’s a lot to think about)

Duration-?How long effects are felt?

What’s the time of restoration? How many items in production were disrupted, what customer jobs are not completed? What customer jobs will require another department to re-process an order, an engagement. Do you have organizational communication to your customers that convey responsibility? How will your organization review the outage and determine root cause analysis?

Frequency –?how often the same event might happen

Could this happen again, will we even have the opportunity?

Keep the first principle in mind before you start this.

1 {Reliable}

• Disciplined- manages, governs, assurance?
• Consistent – few surprises?
• Accurate – free from error and bias

Starting here, you can pay back your tech-debt.

#governance #risk #compliance #infosec