I recently digested "The Federalist Papers" (full copy here) and for good measure the "Anti-Federalist Papers" (one of the variations is here) in a vain effort to understand if there really is a practical difference to hang a hat on in certain US political debates. Besides being a refreshing mirror to help transform some of the stresses of corporate politics, (and causing my writing to expand past the brief and modern), this effort has given me a fresh perspective on my current problem space that I hope to distill and share as a contrast against the common method and it's issues with scalability and efficiency in our faster moving, Agile driven stage of the evolution of the Capitalist philosophy.
For those short on time and tired of my verbosity, I intend to share a few key points that could help us level set expectations earlier in the Supplier/Buyer partnership and still achieve a relevant degree of verified trust that is mandatory under many regulations--besides being necessary for a comfortable and successful relationship. If I am as eloquent as I hope to be I might even convince you it can be done without a specific and constant list of objectives involving fairly precise and consistent measurement cost but instead with a more artful but still scientific approach allowing for the comfort of the more LEAN minded as well as the nervous.
So let's tighten this up…
Why do we need to assess supplier risk? Regulations say we have to. Besides that we want to be sure the Seller will deliver consistently. We have promised to protect our customer's info or deliver a service consistently after all and want them to trust us so we have to be sure we can trust anyone we decide to rely on. These seem like pretty straightforward reasons for us to invest in some quality assurance over the Buyer both pre-cutover and ongoing.
What does this look like from the Seller's perspective though? What if they sell to multiple verticals? What if they are starting up and their budget is limited and tight on every category of spend? What if they are just breaking into a more highly regulated vertical than they originally had to build for? What if a larger percentage of their customers are small, higher risk tolerant companies and only a few will want deeper truth? What if their product is one of a kind, top of the heap, best of breed, flavor du jour?
When you see this from the 10k foot view across a large number of cases, it starts to look a lot like the complex and variety of reasons cited by Publius for designing checks and balances into the system of government to help assure an effective, always flexible, and continuously evolving government based on a relatively small base of rules below a system of common law which is intended to evolve over time to address the always present squabbles due to fringe and very local and often changing differences of position, intent, and degrees of influence.
So why then do the majority of Suppliers and Buyers still believe that the very unimpressive approach of a highly flexible but third party challenged attestation on top of generically written policies is the most effective and scalable approach to assuring trust in a partnership?
Let's consider the failure points in these most common two methods often leveraged for proving and measuring the factors that should determine Trust between the partners.
- Policies and standards are by their nature aspirational in most orgs. Any appropriately risk taking business outside of the Gov sector will have a potentially long list of exceptions against their own policy IF they have a good balance of IS skills to assure effective detection, discussion, and tracking to full treatment baked in at all levels of their business. Some, most often the smaller, younger firms, consciously choose to invest light if at all in the IS, Compliance or Audit resources at the benefit of sustaining their preferred spend ratio toward innovation and new business development a few more quarters or years into their business plan. So what value does seeing a policy really provide from the Buyer's side in this context? Certainly it is worth the effort from the Seller's to satisfy a good proportion of customers in most regulated verticals who may still be drinking the old Koolaid, but does it really add to Trust and assure people are talking to their friends about your ability to help them sleep well at night as a strength? I submit that there is actually very little ROI but we have to do it as we're trapped by the past and policies and standards are still a better starting point than without for any IS leader to hang their hat.
- Third party audits were set up for laudable reasons. If you read the guidance and imagine an honest firm applying them using a high quality assessor then there is tremendous ROI to be gained going beyond the relatively lower secondary benefit of use in Buyer trust development. The company being assessed can potentially meet many governance objectives and assure a high quality operational and security environment through the annual challenge. The dream is sound but Anderson revealed a hidden truth and GE (IMHO) put the nail in the coffin. Is the dream of a well run and monitored company really what they are used for? Given the high likelihood of exceptions is it not more probable that more risk tolerant management may prefer to invest on lower quality assessors and even avoid testing certain controls to achieve a report with no issues that will get past more Buyers (for the pricetag of a lighter quantity or quality IS investment strategy) who may not notice that they actually whitewashed some control domains or left out critical scope?
Certainly the first option preferable to many who have lower blood pressure and faith they can absorb any incident is to accept risk. This is always an option. Understanding and describing the degree of the unknown side of the risk that is being accepted is a significant challenge for the IS pro tasked with helping pull back the curtain--particularly when they are actively prevented from doing so, leaving a tremendous unknown beneath an unknowable number of layers of whitewash.
My advice to the Buyer’s IS is to consider the quality of the content as an indicator in this decision, not just that they had it ready. The Buyer's risk assessors have to help with education here the most as the Buyer mid-level leadership may have seen the problem the same old way and would have done the same to build their story to get past the gate the same way and won't understand why mere existence is not sufficient quality.
Let’s break this up at this point. More to come soon…
No comments:
Post a Comment