My friend Mark Curphey writes an article “Checklists are Not For Dummies, Dummy“ which looks at the use of checklists and how they are important for quality and the reduction of variance. I think it’s important in this day and age of “Security Through Diligence” to take a look at what checklists can and cannot do, because Mark makes an important point - reminding us that there is a time and place for everything under the sun, even the much maligned checklists. Before we get into this, let’s discuss some terminology, because I’ll be using these terms to make some distinction:
- State of Nature. State of Nature just means what the current state is. There are two ISSA Journals on my desk right now - State of Nature statement.
- State of Knowledge: Analysis derived from examination of State of Nature. “One of these ISSA Journals has an article co-authored Donn Parker on ROI. I’ve read it, and it makes some statements he regards as truth. Looking at those, well, I know that risk is quantifiable, best practices have significant issues, and there are many, many other statements of authority in the article that I can refute on evidence.” - Analysis or State of Knowledge.
- State of Wisdom: Synthesis from the analysis. The “So” moment. “So since there are many statements of authority made in the article that I can refute on evidence, I should be open but skeptical about whether the conclusions of this article are likely to have much value to me in my quest to understand the value of risk reducing investments.” What I’ve synthesized from the quality of the article - State of Wisdom.
(Just a clue for our readers, anytime you read someone talk about risk and mention the term “actuarial” - be skeptical about the conclusions they have you draw from the statement using that word. 9 times out of 10 what I’ve read after someone says actuarial is made as authoritative but shows a level of ignorance on the subject. If you really want to mess with them - say “Really! Well, tell me how you feel about the use of non-parametric Bayesian Methods” and wait… )
MMMMM-MMMMMMM CHECKLISTS!
So what about Checklists? They’re worth discussing because we’re swamped by them! Heck, we’ve got people in love with the idea of checklists of checklists and claiming GRC nirvana is not in the checklist itself, but in the mapping of checklists.
Here ya go: Checklists have one of two uses -
First they can give us a path to accomplish something. I make a checklist every morning I call a “Todo List”. Useful Checklists could be as Curphey mentions - steps for operating machinery or performing a certain task (heck, scientific method could be said to be a checklist of steps in analysis). Checklists are useful in this way because, well, we’re fallible, absent minded, and novices. They serve to reduce some level of variability in a process.
Second, they can help us develop a State of Nature. PCI or the ISO are very nice checklists that, once you’re done, certifies that you have the existence of a certain amount of control. Again, this serves to reduce some level of variability, comparing you to a “best practice”.
And so…..
They are both useful in each use - as long as the limitations therein are understood! And that’s where we get into trouble. Too many times we believe that checklists are a State of Knowledge. Checklists allow for some limited analysis, just like the use of ordinal numbers to describe “risk” - they only serve to identify some level of variability, nothing more.
But outside of that they usually offer us no analytical function at all, they cannot provide a State of Knowledge and therefore, more succinctly, Checklists are dumb.
As slightly paranoid, skeptical and jaded risk management professionals, we know this to be true. A PCI compliant company may or may not be at all “secure” or “risk-free” or even “risk-reduced”. That’s an aspect of analysis that the checklist is some prior information for, but not nearly all the information we need for an analysis of risk or even a statement about the ability to control or resist. We know an ISO certified organization did what they claim they do enough to at least fool an auditor once, but cannot arrive at any other State of Knowledge without more effort.
Make no mistake, the checklists we commonly deal with provide a very, very limited State of Knowledge. Only analysis (with rigor and testing) will provide that. And note that a State of Wisdom (what we’re really after, after all) is predicated on a strong State of Knowledge.
WHAT ARE YOU MANAGING TOWARDS, REDUX
So if checklists only provide a State of Nature, and are incapable of really giving us Knowledge or Wisdom - then let me encourage you to think about the amount of time you spend just getting a certain State of Nature and the relative return on that investment vs. the amount of time you spend in analysis and synthesis. Is your time best spent mapping checklist to checklist - or is it better spent developing the analytics that allow us to synthesize wisdom?
AMAZE AND CONFUSE YOUR FRIENDS AUDITORS
Let me finish by encouraging you to have a frank discussion with those who perform your audit function. You must really pin them down if they are out to give you any analysis at all - and when/if they do provide analysis - press them on what rigor they use to create a State of Nature, and then the means by which they create a State of Knowledge (that belief statement based on the State of Nature they see).
