Monday, March 31, 2008

The Beauty of Guesstimates

Howdy,

I just published the latest entry to my Visible IT blog titled "The Beauty of Guesstimates: Qualitative Assessments in Quantified Terms."

Here's a teaser:

"Not everything that counts can be counted, and not everything that can be counted counts.” -- Albert Einstein

I've spent an embarrassingly large amount of my time the past week deep in the details of the COSO ERM Framework. I was trying to get to the bottom of what COSO specifically requires in a risk assessment process and as I was digging through it the Einstein quote listed above kept drifting through my mind, because it's unclear, to me at least, how much credibility should be given to qualitative risk assessment techniques.

The COSO ERM - Integrated Framework document makes this assertion:

"An entity’s risk assessment methodology comprises a combination of qualitative and quantitative techniques. Management often uses qualitative assessment techniques where risks do not lend themselves to quantification or when either sufficient credible data required for quantitative assessments is not practically available or obtaining or analyzing data is not cost-effective. Quantitative techniques typically bring more precision and are used in more complex and sophisticated activities to supplement qualitative techniques." from COSO ERM - Integrated Framework

This statement would seem to imply that risk assessments based on quantification are preferable and more subjective, qualitative methods should only be used when the data that goes into quantification models is not "credible" or when the cost of obtaining the data is too high.

Maybe for enterprise risk management this is a reasonable approach, but not in the real of IT Governance because there are just too many important considerations in an IT organization that can't be quantified readily. That's why the Einstein quote kept coming back to me.......


As always, I welcome your feedback either here or on the original blog entry.
Posted by Calvin Powers at 1:06 PM Links to this post
0 comments
Reactions: 

Monday, March 24, 2008

Protecting Britney's Data

Greetings,

I just posted the latest entry to my blog. This week I discuss, "Protecting Britney's Data."

Here's a teaser for ya:

The UCLA Medical Center is in the news for a privacy breach. Again. The victim? Britney Spears. Again. The full story is published in the L.A. Times under the headline “UCLA workers snooped in Spears' medical records

In 2005 when she had her first child at UCLA, employees were caught snooping her medical records even though they didn’t have a need to know. In January 31st of this year, Ms. Spears was checked into the psychiatric unit for treatment. And again, employees could not resist using the hospital’s medical records system to snoop on her medical record files. All in all, UCLA Medical Center is taking steps to fire 13 employees of the hospital, and suspend 6 others. Six doctors are facing disciplinary actions.

There’s nothing new about a privacy breach at a hospital these days, unfortunately. But this story is interesting because it can be spun as a case of not learning from past incidents. But I wonder if that’s true......

As always, I welcome your feedback either here or at the Visible IT blog.
Posted by Calvin Powers at 9:10 AM Links to this post
0 comments
Reactions: 
Labels:

Monday, March 17, 2008

The Importance of Scalable Metrics

I just posted the most recent entry at my Visible IT blog on the importance of scalable metrics. As always, your thoughts and comments at the blog are much appreciated!
Posted by Calvin Powers at 8:53 AM Links to this post
0 comments
Reactions: 

Monday, March 10, 2008

Negotiating Control

Hi all,

I just posted the latest entry to my Visible IT blog called, "Negotiating Control," which discusses som ideas from Tyler Cowen's book, DIscover Your Inner Economist, to the topic of business process modeling. It's a stretch, but I think it works. As always, I appreciate your feed back either directly at the Visible IT blog or here.

Thanks!
Calvin
Posted by Calvin Powers at 4:05 AM Links to this post
0 comments
Reactions: 

Monday, March 3, 2008

RACI Matrices and Personal Health Record Services

I've just posted to my Visible IT blog a new entry titled "Using RACI Diagrams to Think About Personal Health Record Services" which suggests that much of the concerns about security and privacy of personal health records in online services are misplaced. Read the article to find out where the biggest concersn for PHR services are!

As always, I would appreciate your feedback either here or on the original blog post.
Posted by Calvin Powers at 11:15 AM Links to this post
0 comments
Reactions: 
Subscribe to: Posts (Atom)