to publish 22 dec ; nr 3.

In a previous message I wrote about the differences between risk treatment and risk management.

These are typically different activities, carried out by different parts of the organization.

But here is what often goes wrong with these activities.

If you understand the difference, you might be able to do something about it.

Risk management starts at the top as a paper policy and then gets translated into more and more paper. This process gets stuck when the higher layers in the organization don’t understand when their bureaucratic system can actually be translated into real tech.

They are translating it into more detail, but only in a language that they understand.

And this is not necessarily the language that is spoken by the people who actually need to implement these policies by putting hands to keyboards adapting production systems.

Either they think they are done because they have treated the risk on their level, which is the risk of not having a proper risk management system. And since they have treated that risk, they think they are done.

Or, the policy makers will find new ways of formalizing and proceduralising the whole process, so that you get processes to manage all the processes. You may recognize Parkinson’s law at work here, work expands of its own.

Meanwhile, those who understand technology are overwhelmed by their knowledge of what can go wrong, and can’t see the forest for the trees. And the added layers of paperwork just add to the overwhelm.

Neither side of the organization understands what the other is trying to accomplish, and a common relevant focus is not achieved. This is a very surefire way of leading to a lot of waste, and not a lot of risk reduced.

And yet, making the connection between policy and execution, management and technology, can be done.

I remember being in a meeting with a risk manager and an IT architect representing these sides. The conversation was going nowhere, until it dawned upon me how I could bridge the gap with examples and explanations.

The discussions became much more productive.

To learn more about the other side, read my book Digital Power: How Digital Infrastructures at Scale lead to Value, Power, and Risk.

Here are some sections from the book that are relevant to this story:

-Information security assets https://digitalinfrastructures.nl/book/risk/assets/

-Governance over IT, an example: https://digitalinfrastructures.nl/book/power/governance-example/

Please reply with your thoughts and questions. I will answer to them.