What is absurd for one is Business as usual (BAU) for the other. Processes and policies should be the heart of any well organized and self-conscious business. Through the creation of policies, you define the intent and rulebook that business needs to adapt its Processes and Guidelines to. The interaction should be self-evident but without a functional feedback loop things will break, eventually.
Let’s agree on one thing, we all enter situations with different perspectives. How do you measure the risk of non-compliance or broken processes? Do you polish your internal doings just in time for an assessment or is it part of the ongoing self-adjusting consciousness (BAU and processes) of the company?
Every business should handle issues like accountability, physical security, education, server configurations, Incident response and visitor management to name a few examples. On top of that every business needs to develop and evolve as part of the process as well.
For companies that have a big risk appetite it is possible to accept risk (a humorous attempt to describe the risk-acceptance-process below) but it must be followed up and handled in an orderly fashion according to the businesses own processes.
The Good thing is that things will get easier for the actual doers. There is a requirement within the PCI DSS that states that Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include an overall accountability for maintaining PCI DSS compliance and defining a charter for a PCI DSS compliance program and communication to executive management. This is only the case for service providers and they have grace time until the 31st of January 2018 until this is mandatory.
But let’s be honest, what can be done without the support of management? Not much, so it might be a good thing to start right now. Unless of course you find it absurd and you are willing to accept the risk.