One of the many ways that a centralized IAM initiative lowers your risk is by forcing many different departments into reducing undocumented courses of action into machine interpretable decisions. For example, prior to the IAM system, an action may have been to get a phone call and take an action, or perhaps “go ask x”. Knowledge which resides outside the system, that the system requires must be logically organized and input into the system. Sometimes you find a situation where the logic used cannot be easily reduced to a truth test because the informaton required is either missing, unknown or inaccurate. When this happens, decisions need to be made whether or not it is useful to fix or fill in the information. This is where things get interesting, where IT needs meet political realities and you hear customer’s say, “Let’s let that one go” or “The CIO will never take that back to the business.” Returning to risk reduction, by automating courses of action or standard operating procedures and reducing them to machine understandable logic, we now have the full set of data manipulation tools that allows us to properly, track, control and secure the processes based on well established principles thereby lowering our risks. Next I will look at missing information in a little more depth.