Re: Cloud selling and Pricing (@jMcPhee)
I've worked at a place where the internal risk reviews, done by an employee of a different department in the same company, were exactly like that.
Real serious issues were not allowed to be raised. By order of the management, the only issues that were allowed to be mentioned were the ones that could be acceptably mitigated at no cost.
So something like only having one developer who knew anything serious about the company's internally developed customer-specific architecture-specific version of gcc, one not used (let alone maintained) anywhere else in the world, wasn't considered a recordable risk by the auditor.
Then one year the developer in question went on holiday and didn't come back. Never seen again.
Still, it mustn't have been a problem, because it wasn't recorded as a risk.