Policies and Procedures – Page 66 – IS Survivor Publishing

Of risk, bridges and business

Tom Clancy, in A Sum of All Fears, offered this smug assessment: “The Roman bridges of antiquity were very inefficient structures. By modern standards, they used too much stone, and as a result, far too much labor to build. Over the years we have learned to build bridges more efficiently, using fewer materials and less labor to perform the same task.”

Seven years ago, InfoWorld published this response in KJR‘s predecessor, the Survival Guide (“The sum of all projects,” 8/14/2000): “… some of those Roman bridges are still standing a millennium later, while some of our more efficient ones have tumbled into the bay. Adherence to budgets and schedules is our preeminent ethic. One suspects Rome held different values.”

Last week, another American bridge, just 40 years old, tumbled into the Mississippi river in the middle of Minneapolis. Those built by the Romans continue to stand.

What exactly went wrong in Minneapolis isn’t yet certain. We do know already that recent inspections of the bridge did not report that all was well. They reported risk.

The state of Minnesota, my home state, has under-invested in its transportation infrastructure for at least 25 of the last 25 years. So has the rest of the country. We have no reason to believe the 35W bridge collapse will be the only consequence. Current estimates suggest we’ll need to spend $10 billion a year for 20 years to catch up just on bridge maintenance. That will require new taxes. Do you think many voters would support a preventive maintenance platform, should one party or another be to propose it?

In the meantime, roughly 150,000 bridges have a similar risk of failure.

For those who propose the BIG/GAS theory (Business Is Great/Government and Academics are Stupid) as the culprit — don’t even think about it. Business leaders are at least as prone to the same thinking. As a recent KJR explained (“The value of a little failure here and there,” 7/16/2007), they are far more likely to invest in revenue enhancement or cost reduction than in addressing risk, because investments in revenue enhancement and cost reduction yield tangible returns.

In that column I used risk mitigation to cover all ways of handling risk. Two correspondents — Tom Reid and Max Fritzler — recommended a different vocabulary and a more sophisticated way to think about the subject.

The proper cover term, which will be used here from now on, is “risk management.” To manage risk you can Avoid, Insure, or Mitigate (Max supplied the acronym, AIM).

Avoidance means reducing the likelihood that the risk will become an event. Preventive maintenance is one of the most important ways to avoid risk. Staff training, to increase competence, is another.

Insurance includes all tactics that deflect the consequences of risk to someone else. Insurance is the label because that’s the best-known way to deflect the consequences of risk, but there is another. It’s called blame-shifting and it’s quite a popular alternative. Quite a bit of political propaganda goes into blame-shifting. In business, backstabbing often has the same goal. Both are annoyingly effective at deflecting the consequences of risk.

Mitigation means reducing the impact should the risk turn into actual events. Fault-tolerant system design and business recovery planning are well-known risk mitigation tactics. So are cross-training and succession planning.

There is, of course, a fourth risk management tactic. It’s probably the most popular of them all. It’s called hoping. Synonyms are keeping your fingers crossed and denial. Theoretically, you can also accept the risk — consciously choose to do nothing. Usually, though, acceptance is just another synonym for hoping.

Denial has an antidote — developing a culture of honest inquiry. It’s how you get an accurate assessment of risk.

It is, perhaps, the most difficult change in business culture you can attempt. You have to constantly and insistently ask, “Are the data we have trustworthy? Complete? Can we get better data? Are we drawing the right inferences? Will they lead to the results we want?”

And then, “Do the data say our decisions gave us the results we want? If not, what did we miss? What was wrong about our inferences and decisions? What will we do differently next time?”

Tough questions.

You’ll note that most risk management fits our definition of a decision — it requires the commitment of time, staff and money. The exceptions are blame-shifting and hoping, which don’t.

Is it any wonder, then, that blame-shifting and hoping are the most common risk management strategies in America today?

Or that another American bridge has crumbled?

The new prudes

You can’t change people. You sometimes can change their targets.

So it is that while prudes will always be prudes — obsessed with the notion that someone, somewhere, might be having fun — what they are prudish about can and will change over time.

When I was a boy, a peculiar amount of time and energy went into prohibiting consenting adults from doing what they wanted to do together. While still popular in some circles, this form of prudishness is far less prevalent these days.

That’s the good news, and if someone ever introduced a Constitutional amendment that reads, “Congress shall make no laws defining crimes without victims or criminalizing acts undertaken solely between or among consenting adults,” I’d expect it to receive widespread support.

The bad news: The prudes are still among us. They live in IT organizations. You can recognize them easily. They’re the ones who say, “Rules are rules, and we have to enforce them.”

It’s an argument that falls apart on even the slightest scrutiny, but scrutiny is something prudes mostly reserve for the behavior of other people. Self-righteousness, not analysis, is their stock in trade.

These thoughts occurred to me as I read my e-mail following last week’s column (“Roving e-mail,” Keep the Joint Running, 7/2/2007), which presented the imprudence of harshly punishing violations of various corporate usage policies (such as using private e-mail accounts for business purposes).

These are the new prudes, and I’m tired of listening to them. Tired, that is, of those who self-righteously deride anyone who uses their PC for more than word processing, spreadsheets, electronic mail, Internet browsing, and the official list of enterprise applications.

We have PCs that can sing, dance, and play the tuba. The list of what they can do for us is like Einstein’s universe: Finite, but unbounded.

As specifics are more persuasive than generalities, here are some applications I use on a regular basis, which make me significantly more effective in my work. Installing them would be, in many companies, grounds for disciplinary action:

Copernic Desktop Search: Until I migrated to Vista (DON’T DO IT! YOU’LL REGRET IT!!!) Copernic was how I quickly found the files and e-mails I was looking for. I like it even more than Google Desktop.

InfoSelect: The best personal information manager in the world, so far as I’m concerned. You can use it to create outlines, notes, and flat-file databases and find whatever you’re looking for in an eyeblink. I use it to store all the random bits of information I need to stash somewhere. And, it has a version for Palm, so I can find the information when I’m out and about.

Desktop Sidebar: Similar to Google Desktop’s sidebar, and infinitely better than Vista’s visually appealing but space-intensive clunker, I find Desktop Sidebar to be a terrific way to keep the weather, stocks, and blogs I track right in front of me. It’s compact, stable, and … nifty.

Treo/Blackberry: Yes, there are still a lot of companies that don’t let you connect a Treo or Blackberry to your PC or laptop. I can e-mail or call anyone in my Outlook address book from my Treo. Their employees can’t.

Digital camera: We do a lot of whiteboard work with clients. When the whiteboard is full we take its picture. It’s cheaper than a “smart board,” ubiquitous, and we can store the original electronically. Many companies wouldn’t let us upload the pictures.

Allway Sync: I don’t know if it’s better or worse than any other file synchronization tool. It works for me. It keeps track of parallel folder trees on different drives or computers, recognizing new files, changed files, and deletions. Simple and painless.

Many companies employ professional prudes to prevent this sort of thing from happening. The theory is that doing so cuts the cost of IT. My theory is that if you buy this theory I can cut your IT costs to zero. Just turn it all off.

Here’s a suggestion: Instead of employing professional prudes to prevent end-users from finding better and more productive uses for information technology, show some leadership instead. Give someone the job of developing the richest set of tools possible for your company’s PCs, and the job of promoting their use.

The job title? I must be in the wrong mood, because everything that occurs to me right now would make at least some readers snigger.

Suggestions?