A Signal That You Are No Longer Targeting Effective Risk Management

Over the years, I have been witness to many instances of “responsible”/”accountable” word feuds.  In truth, I have been maneuvered into the early stages of these tangents on more than one occasion.  I believe that their presence is almost always an signal that effective risk management is no longer the mission.

Whenever compliance discussions evolve into arguments about the meaning of “responsible” versus “accountable,” stop and think about the trajectory of your effort.  Chances are that you are no longer involved in “risk management.”  The key is generally to ensure that there remains a strong link to compliance monitoring, reporting, and enforcement.  Where there is no link, there is no information security, infrastructure, or infrastructure operations risk management activity.  If you are a lawyer, and your focus is to use the “responsible”/”accountable” vocabulary to achieve some gain or to dodge some liability for your corporation, you have my support, but it is not related to the security business.

Tight-enough coupling between the descriptions of what must or should be achieved, and the monitoring, reporting, and enforcement used to ensure an appropriate level of compliance is a key indicator of an effective risk management focus.

Absent that coupling, attempt to re-focus the effort participant’s energy away from “responsible”/”accountable” word-smithing, and back toward the job at hand.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: