Um.” Manfred finds it, floating three tiers down an elaborate object hierarchy. It’s flashing for attention. There’s a priority interrupt, an incoming lawsuit that hasn’t propagated up the inheritance tree yet. He prods at the object with a property browser. “I’m afraid I’m not a director of that company, Mr. Glashwiecz. I appear to be retained by it as a technical contractor with nonexecutive power, reporting to the president, but frankly, this is the first time I’ve ever heard of the company. However, I can tell you who’s in charge if you want.” “Yes?” The attorney sounds almost interested. Manfred figures it out; the guy’s in New Jersey. It must be about three in the morning over there. Malice—revenge for waking him up—sharpens Manfred’s voice. “The president of http://agalmic.holdings .root.184.97.AB5 is http://agalmic.holdings .root.184.97.201. The secretary is http://agalmic.holdings .root.184.D5, and the chair is http://agalmic.holdings .root.184.E8.FF. All the shares are owned by those companies in equal measure, and I can tell you that their regulations are written in Python. Have a nice day, now!”
This article reminds me of another book [1] called Holacracy where how a business is run is systematized according to other pre-defined principles. David Allen, a productivity trainer, used it at his own company for several years before eventually moving away from it because the ongoing overhead to keep its system up was too much.
I wonder if this system will end up like that as well. I love the idea, but I think humans operate at a squishier level than our computers do, there's a risk of 'massive bureaucratic dehumanization and inflexible processes' and the Iron Law of Organizations that make such efforts as that book and this article fraught with peril. Taylorism has its limits.
But hey, if this works, I'll be excited to see more businesses adopting better practices and less painful fumbling around trying to do practices in an organic or unplanned way.
[1] https://www.holacracy.org/blog/dac-ceo-reflects-on-holacracy...
(that, and the notion of Exocortex, which is what I've named some of my smartphones...)
If you're just now thinking about it in this context, then you're about two decades too late.
I'm an advocate for bringing software culture to GRC, or as it's sometimes called “GRC Engineering”. While there are plenty of products to automate evidence generation for auditors, the underlying policies and documents that they prescribe are usually still old-school Word/PDF-style boilerplate junk.
I'm working on an open source project for security policies/processes/standards that map back to underlying frameworks (e.g. SOC 2, GDPR, ISO 27001, etc.) Docs are Markdown with YAML frontmatter metadata, interlinks generated automatically, site is published via GitHub actions.
The code is at https://github.com/engseclabs/graphgrc, and you can see an example published site here https://graphgrc.engseclabs.com.
Would love to know if others find it useful or have built similar systems.
> Would love to know if others find it useful or have built similar systems.
Yes, to both for over a decade now, and by now there are many so one doesn't need to rewalk the whole path, some are developed in open on GitHub.
Commercial firms have built on that for live monitoring of the mappings, although don't scratch at that too hard, it's generally mostly (a) self-selected subsets of controls, and (b) manually self-reported at the end of the day.
Product examples: https://delve.co or https://safebase.io/products/trust-center
Applied example: https://trust.openai.com
Have you Googled this or talked to large firms (e.g. banks) that care about avoiding footfalls with regularly scheduled regulator exams? Writing your own shows you grok the concept, many need (well paid!) help applying something off the shelf or from OSS.
There are plenty of GRC products out there and are popular for good reasons, but I don’t think any of them are Git/Markdown/developer-first.