In my study, I’ve come to the conclusion again after reading many frameworks and looking at various things, I was intrigued by a framework called Cynefin framework. Basically what it does is it defines an organization and puts it into, say, four quadrants, in the middle you draw, you say that’s disorder. I’m trying to talk about my organization and the middle is disorder.
Obvious quadrant-the domain of best practices
So in the lower right handquadrant we have the “obvious” sector. In the obvious sector what we have are things where we use best practices, because these are things that are well-known to people and everybody should understand. So if we’re looking at that from a risk assessment point of view, then we should be using the tool of quantitative risk assessment, because we have lots of data these are things that we do all the time, we have lots of data and we should be trying to those as a good process as possible.
Complicated quadrant-the domain of good practices
If we move up, so going up is the next quadrant and is called the “complicated”. It starting getting a little bit more complicated so there are no best practices so we use things like good practice. So in the information security world we’re talking about things like the code of practice, and ISO 27002. If you’re talking about service management then you start to talk about things like ITIL. So, these are good practices.
Complex quadrant-the domain of emergent solutions
And then the next one moving over is the quadrant called “complex”. So now we are in the very complex things. Here what we have to do is look for emergent practices. What are we doing in this particular area that other people are doing, so we start to look at benchmarking and things like that; to understand what other people are doing, but we can’t use quantitative risk assessment because these could be what we call the “dragon knights” which are sort of a flavor of the black swans but, it happened more frequently. So they don’t happen enough, that we have enough data that we can actually do a quantitative risk assessment and we might not even thought of this scenario, so we can’t do qualitative risk assessment. So here we have to use complexity management tools and there is a number of tools that people are selling.
Chaotic quadrant-the domain of novel solutions
And then the last quadrant they call “chaos”. Between the obvious, which is where we’re doing the best practices, so each one of these has sort of a little cliff, like I can fall from complicated into complex very quickly and I can fall from complicated back in, after it’s been around a while, we’ll put in the best practice, so now it’s in the obvious one. But the biggest cliff, if you want to call it, is from the obvious to chaos. So we’re working away we think we’re doing a really good job on our process and all of the sudden we find that we wildly out of control and we’re in a chaotic environment. You have to manage these, make sure you’re understanding the relationship between them and making sure that you’re not falling from a obvious environment to a chaotic environment.
Author
Peter T. Davis
PECB Certified Partner and Trainer. He is also the Principal of Peter Davis + Associates, which provides governance, audit and security services to financial, education, government, insurance, and manufacturing clients. Mr. Davis is certified with several certifications such as CISA, CMA, CISSP, PMP etc.