risk vs. compliance (2)

Policy is created to control risk exposure. Failing to establish coherent and adequate policy drives risk. Classify your assets, test your systems, educate your employees - says the policy. Risk reduction through compliance. 

And the other way round. Ensure that design decisions are explicitly risk-based, says the policy. Compliance through risk management.

Can you see other ways in which the risk (manage potential consequences) and compliance (do as we're told) perspectives are interrelated?

No comments: