RCSA is close to BAU

Close, as in no cigar yet (has the US ban on Cuban import been lifted already?).
But definitely, Risk Control Self-Assessments would, if carried out properly, be that major part of management’s daily (sic) chores that wouldn’t need annual get-togethers coaxed by outsiders (sic) but would be Business As Usual in operational practice. Maybe needing some periodic (weekly? monthly? certainly more than as now weakly annually) departmental review gathering but not a stage show as if this is the holy grail of business information flow. After which the ‘second line’ (as the back not even middle office function) receives the (right) info and acknowledges that the ‘first’ line has so much better sensors since they’re the first line par excellence, integrates the info into the upward report flow and reverts to fine-tuning the tools they provide to first-liners, and furthermore does … nothing. Second line is helpers, not dictators-by-soft-smothering. When it would turn out that all the high-quality hence qualitative (the reverse for quantitative) risk pics cannot be easily integrated into one pic, that’s too bad for the integrators but an appropriate (!) reflection of reality.

And if, on the other hand, first-liners need to be taken away from their actual productive work to sit in some song-and-dance by second-liners because it was so decreed by ‘governance’ levels (emperor’s clothes!), the very objectives will not be achieved. Since the ‘do something’ by deep-lying incompetence has lead to the wrong turn into a blind alley whereas the broad avenue (something like Younge Street) between wilderness and high (?) culture.

[I scheduled this post a couple of weeks ago for release in a couple of weeks but new developments seem to speed things up. For my many posts against Form over Substance … just search this blog for ‘TLD’ or bureaucracy …]
Won’t rant (too much) on; keep it to RCSA = BAU + quite some ε still, and:
[Distorted? Only your picture is, here for a change, by standing too close; true reality is  not at the Edinburg Royal Mile!]


About maverisk

Maverisk Consultancy, IS Audit and Advisory services: Wikinomics meets governance and audit; otherwise, see my personal LinkedIn profile
This entry was posted in ERM, GRC, Information Risk Management, Information Security, Innovation (technologicallly driven) and tagged , , , , , , , , . Bookmark the permalink.

One Response to RCSA is close to BAU

  1. Pingback: Your valued info at risk | Maverisk

Your comments are welcomed!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s