A repost of the Interview by Joseph McCafferty From the MIS|TI Training Institute
February 13, 2017
We’ve all seen ambiguous and imprecise language in the business world, whether in standards and regulations, our own policies and requirements, or in everyday reports and memos. Words like “adequate,” “reasonable,” “suitable,” and “appropriate” pervade business writing, especially when it comes to setting rules and standards, including those that internal auditors must provide assurance over.
Jeffrey Ritter a data security and governance expert and lecturer at John Hopkins University and University of Oxford, says it’s no accident that business writing is littered with confusing and imprecise language. “The goal is to be intentionally ambiguous,” says Ritter. He says such language allow us to take shortcuts and avoid the hard work of being precise. He says it also keeps one group from having to learn the business vocabulary of another or to really understand what they are trying to say at a detailed level.
“So often when we go writing rules the authors face two continuing challenges. The first is that they are writing rules for others, not themselves. And in doing so, they often fail to use the language that the people who are being regulated by those rules use in everyday business,” says Ritter. “Whether those rules are legal rules, corporate policies, or performance standards, they often don’t align with the vocabulary we use to run our business,” he says.
Another issue, says Ritter, is that when it comes to writing rules or standards we too often try to make one set of rules that can be used by everyone. “Inside companies, when we are looking at different policies or procedures, the needs of operations are different than the needs of engineering, which are different from the needs of assembly, which are different than the finance office. And yet when we are writing some kinds of rules—particularly the kinds of things that internal auditors are being asked to examine—the rules end up falling back on broad adverbs and adjectives that work across these different communities,” says Ritter. “But because they are broad, they don’t provide the business units, or ultimately the auditors that examine the integrity of those units, the precision they need. If we make the box big enough, every round peg will fit into it.”
The Chasm of SIAM
According to Ritter, modern business tools allow for more precision and metrics that are more accurate. He cites Six Sigma and other initiatives that focus on greater precision. However he says, the language that we use continues to lack that same precision. “No one really knows what these rules require. In the 21st century we are moving toward a model where we emphasize metrics and where we emphasize evidence-based decision-making but none of these are thought about by the people who are writing the rules and we end up with this huge disconnect between the ambiguity of the rules and the way we want to count compliance, with metrics and with precision,” he says. Ritter has a name for this disconnect. He calls it “The Chasm of SIAM.” SIAM stands for words that are Semantically Intentionally Ambiguous in their Meaning.
Ritter says vague language can wreak havoc in areas such as risk management and information security. “Managing risks is a constant calculation of threats, vulnerabilities, and probabilities of success, impact, and recovery. When SIAM is used in data security, for example, without greater precision, the calculations become guesses,” says Ritter. “And, once again, after the manure has flown, investigators, insurance claim specialists, lawyers—we are always looking for the information that shows where the evidence of the likely adverse event was present, but not considered.”
In order to avoid ambiguity and vague words, Ritter says it’s important to consider how the report, memo, standard, or other communication will be used and who will use it. He recommends first answering such questions as: “What is the action the actor is to perform? How will performance be measured? And how will performance be reported.”
“Engineers, auditors, internal compliance—all need greater precision and, the sooner we move away from using SIAM rules as the basis of evaluating processes the better,” he says.