risk – davelevy.info

Technical debt, depreciation and risk

I wrote and posted a piece on Technical Debt on my linkedin blog. Its post comment, based on the concluding paragraph says, “I look at “Technical Debt” in the context of IT budget planning and suggest that it is not such a useful concept. Using standard risk management analysis is a more effective means of planning a maintenance budget which should consist of funding for both error & risk remediation. Depreciation is a better financial model for the problem.”

There must be much written about the nature of depreciation from physical wear and tear, to the need and cost to replace due to increasing failure; perhaps I should look for some reading on how this applies to information systems. I question if software is an asset in terms of accounting theory, I suppose so because it has value in more than one accounting period, but can it be realised? I also question the value of placing a cash value on software in use, identifying its cost to acquire is potentially simple, its residual value is much harder and synchronising this change to a single corporate depreciation rule can be difficult.

Some things I considered writing about include the number of times while trying to clean up or rationalise corporate IT estates to be told that, “you’re not touching that!”. We used to joke that they’d lost the system which pays the board’s bonuses, but these systems were almost always obsolete and acted as a technology sink keep product in the portfolio that should have been abandoned. Recently I came across the phrase, fictional capital, these systems had an unknown value and the decision to leave them alone seemed based on a pessimistic and fictional view of their value. I sometimes suggested turning them off to see who squealed but this advice was never accepted.

Also it needs to be considered that the maintenance budget is a function of the size of the information systems portfolio and much of it is a fixed cost. If you don’t spend the money the systems stop and they do not vary with output. …

Fighting Corruption

Sadly I have been looking to see what’s being said about Corruption and Anti-Corruption. I made a wiki post which includes some links on management strategy, which includes an article from McKinsey’s Journal which offers a brief taxonomy of corrupt practices, this is augmented by Transparency International’s tool kit, to which I link. TI also note that, “The UK Bribery Act, which was passed in 2010, introduces an offence of corporate failure to prevent bribery.”. There are also some specific action plans inc. current advice from the MoJ. Interestingly, to me, the action plans share many ideas from risk management practices and IT Security controls that I have been working with for many years, and that having a robust programme of controls is the only defence against the aforementioned corporate crime.

Construct a taxonomy, develop controls, measure the effectiveness of the controls and fix those that are broken.

This costs money and time, and companies may lose business because of it. No-one says it’s easy.

I have now made a post on my linkedin blog, which while repeating some of that I say here, looks at the MOJ Guidance and their six principles and offers some important definitions of pertaining to bribery. I highlight the concept of ‘improper behaviour’ from within the legislation. …

Momentum, Democracy & IT Controls

I have written often on the need for transparency requirements for IT security controls and often how one might apply them to e-voting systems. I have specifically written about how this problem applies and is not solved in Momentum. I had a discussion today and recalled the voting results for Momentum’s Democracy Review e-consultation, in particular the vote on CLP governance issues where over 40 votes arrived in the dying hours of the vote, changing the result which up to that time, had been an important yet sectarian contest between “stop the purge” and “Labour against the witch hunt” as to who’s definition of fair expulsions should become momentum’s view. For clarity, I voted for the “stop the purge” proposal but, either of these positions would have embarrassed Momentum’s leadership, as from their actions, they seem quite prepared to use the exclusion mechanisms against political opponents and also the disciplinary rules even against former allies with a very limited support of natural justice.

This is important today as Momentum propose to change their OMOV systems for their central committee but voted not to appoint independent scrutineers. Whether what I saw is true and whether my suspicions are true is not the central test, Momentum cannot prove that the system is safe from an insider attack.

Since the private pages are not archived to the wayback machine, I have taken a screen shot of the final result as at 28th July 2019, showing the final results and posted it below/overleaf. … …

Risk, bias and planning

A couple of years ago, I wrote a precis of the McKinsey Quarterly article, “Distortions and deceptions in strategic decisions”. They started with a review of the way human bias can adversely impact strategic investment decisions illustrating it with a story about a mega-merger which failed. They conclude the article with,

Companies can’t afford to ignore the human factor in the making of strategic decisions. They can greatly improve their chances of making good ones by becoming more aware of the way cognitive biases can mislead them, by reviewing their decision-making processes, and by establishing a culture of constructive debate.

The first half of the article examines the propensity to optimism vs. perceptions of loss aversion and argue that portfolio management is a better way to evaluate the risk as lossess can be compensated by other success. I believe though that British management and particularly public sector management is very risk adverse; there is a higher fear of getting things wrong than getting things right although how we end up with Universal Credit, the Boris “vanity lard bus”, his water cannons and his other “erections”, I don’t know.

What made me remember the article was it’s listing of what they call tools to isolate any human bias to me most importantly

Another technique is to request that managers show more of their cards: some companies, for instance, demand that investment recommendations include alternatives, or “next-best” ideas.

I wonder how many of these lessons need to be applied to local authority planning decisions. Check below/overleaf for more …

…

When is a risk, not a risk?

Rowing with project management colleagues again. Why do all three of future, uncertain or detrimental have to be present as part of a risk? When is a risk, not a risk? …

Predicting Outage

Mike Harding (Sun Preventive (sic) Services) presented on his groups new offerings. The highlight for me was his very dramatic illustration that standard availability metrics i.e. Four or Five Nines are historic and cannot be changed, in order to manage, leading indicators are needed which is why Sun has developed the Operational Risk Index (ORI). This may not be new to some of you, but it is to me despite Richard Morgan’s attempts to keep me up to date. Mike also had a very dramatic illustration of risk dimensions, differentiating between probability and severity (or cost). Interestingly the bulk of the audience chose to minimise probability not cost. …

About: Risk

I was preparing a project proposal before christmas and we were trying to define what a risk was (Again!). Some mediocre (if the cap fits……) project managers think to improve their credibility by saying risk every other word. I offer you (& them) the following, although its not original,

“A risk is an event that is futuristic, uncertain and detrimental.

Its a new FUD! …