risk vs. compliance (2)

Policy is created to control risk exposure. Failing to establish coherent and adequate policy drives risk. Classify your assets, test your systems, educate your employees - says the policy. Risk reduction through compliance. 

And the other way round. Ensure that design decisions are explicitly risk-based, says the policy. Compliance through risk management.

Can you see other ways in which the risk (manage potential consequences) and compliance (do as we're told) perspectives are interrelated?


the rest is Risk

In the beginning there was Compliance.

Until our information systems grew complex and interconnected, the Compliance perspective served us fairly well. There was comfort in trusting that Knowledgeable Others had already foreseen what could possibly go wrong and devised clever rules to keep us safe. Do this or that and be secure.

Those were the days.

By now, we have more rules than ever and we still need to follow them. But complying is not enough anymore, we have to fend for ourselves.

The rest is Risk.