In comments to my “Why I Don’t Like CRISC” article, Oliver writes: CobIT allows to segregate what is called IT in analysable parts. Different Risk models apply to those parts. e.g. Information Security, Architecture, Project management. In certain areas the risk models are more mature (Infosec / Project Management) and in certain they are not [...]
Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today. I believe G & C are subservient to risk management. So let me offer you this statement to chew on: “A metric for Governance is only useful inasmuch as it describes an ability to manage risk” True or False, [...]
Our friend Rich Mogull has an interesting post up on his blog called “Always Assume“. In it, he offers that “assumption” is part of a normal scenario building process, something that is fairly inescapable when making business decisions. And he offers a simple, pragmatic process for assumptions which is mainly scenario development, justification, and action. [...]