Loading ...
I heard this example today and I thought it was a very succinct.
Compliance is binary: either one is compliant or one is not.
Risk is a graded: there are different degrees of exposure.
Here is the illustration:
On a desk sits a piece of paper exposing a single person’s non-public information: social security number, bank account numbers, etc. as well as name, address and phone number.
On the same desk sits an unencrypted tape with 10 million records whose data contains the name non-public information and data elements as the piece of paper.
From a compliance perspective, the piece of paper and the tape have the same weight: one is out of compliance. From a risk perspective, the exposure level of one record verse 10 million records is drastically different.
I should also note that this does not contradict the argument that there is a false distinction between Compliance and Security (posture). Compliance is used risk reduction method, it’s just not necessarily a very descriptive way of viewing one’s exposure.
5 Comments
What rot!
Whether I am speeding at 1 or 50 MPH above the speed limit, I am non-compliant … but the cop that stops me will have a completely different attitude in each case. There *are* ‘degress of (non-)compliance’ just as there are degrees of risk.
More than that, the choice about whether to invest in changing systems, processes etc to achieve compliance with some obligation is itself a risk management decision. Risk averse organizations will choose to be fully compliant before the obligation is in force, whereas others will ‘take a chance’ and spin things out as long as they dare, or until they get caught out.
G.
I agree compliance does have degrees. Some attempt to become compliant and others become a risk as non-compliance usually raises the risk of that being measured. Unfortunately, some have not identified the risk of non-compliance in their compliance control or captured a Plan of Action and Milestones for the appropriately level of management to lay emphasis to not meeting compliance and reduce the risk. Although Compliance and Risk work hand in hand there is a large difference in what they do. Compliance is the measure of accomplishing a defined control; regardless if the control mitigates the risk. Risk Assessment is the impact a particular process/threat (etc) has to the environment.
Incorrect, Gary.
In your example, yes 1 or 50 mph, you are not compliant.
The officers disposition is based on his Risk Assessment.
1 mph = low risk and probably just a warning.
50+ = high risk and a high fine.
Your second paragraph even makes the point, even with the ‘fully’ qualifier. They are or are not compliant. You can’t be a ‘little’ bit pregnant.
Some things in life are as simple as black and white.
Saying, “I am almost, completely compliant.” means, you are not, in fact compliant. Just because you may be 99.999999999% compliant doesn’t mean you are.
gg
Gary-
You are almost correct. There are NOT degrees of current compliance - compliance is binary, yes or no.
There ARE degrees of NON-compliance, ranging from ‘promise to fix that before I have to notice it’ issues to issues that generate company killing fines.
But no matter how many nines you have toward compliance, until you roll to 100% you aren’t.
The difference between compliance and pregnancy is that pregnancy is binary, pregnant or not, virtually of the compliance universe lies between compliant and not. When 99.9999% compliant is non-compliant, compliance becomes a meaningless issue. While not pregnant is frequently a good thing, (pregnant is also frequently a good thing also) but there is no in-between. WHen the last 5% of compliance cost 95% of the cost of compliance full compliance is frequently not a good thing.