Strategy and Tactics – Page 110 – IS Survivor Publishing

A risky play on words

By: Bob Lewis|In: Leadership|Last Updated: July 23, 2007

Two tankers were trapped in heavy seas. One carried a load of red paint; the other carried purple.

Despite the heroic efforts of their captains, the ships drifted closer and closer together, until finally, they crashed.

The sailors were marooned.

I have, sad to say, a fondness for plays on words. It’s a horror for friends and family, and might account for why I have so few of either.

Edward Tufte has a different use for the word punning. He uses it to describe the confusion caused when one word has two separate meanings, and apparently considers it reprehensible. Of course, by adding this definition to an existing word, he has created an opportunity for more punning (his version) to happen, but it’s a small sin.

Reader Jim Ehrlich brought this to my attention in the context of last week’s column on risk mitigation (“The value of a little failure here and there,” KJR, 7/16/2007). His point: “Risk” is susceptible to punning, in that it encompasses two very different concepts — voluntary risks and inflicted risks. Business decision-makers conflate them at their peril.

Risk mitigation is a response to inflicted risks. Businesses don’t choose to place themselves in harm’s way when it comes to (for example) malware, system intrusions, embezzlement, or, for that matter, floods, fires, tornadoes or hurricanes.

With inflicted risks, the choice businesses have to make is how and how much to mitigate them. You install antivirus software and firewalls, implement process controls, develop and test business continuity plans, and buy insurance. You live with the residual risk, recognizing that no risk mitigation program is perfect.

Voluntary risks are a wholly different matter. The easiest way to make sense of them is to recognize that every decision a business makes is an investment decision. This is by definition: Decisions commit or deny time, staff and money. Everything else is just talking about it.

When you make an investment decision, part of your decision is how much risk you’re willing to take.

Some people are comfortable investing in junk bonds and hedge funds. They figure that for the increased risk of the investment, they get an opportunity for a higher payoff.

Once they make the decision to invest they don’t spend time and energy trying to mitigate the risk. What would be the point? Or, for that matter, the technique?

I know of no insurance company that will sell you a bad-investment policy, except maybe Lloyds of London, which will theoretically insure anything at all.

Were someone willing to write you a policy, though, it wouldn’t help. The underwriters would figure the risk and charge you a premium big enough to cover the spread. You’d come out about the same as you would if you’d invested in something safer, minus the insurance company’s profit on the policy.

So smart businesses (or, more accurately, businesses with smart decision-makers) do what smart investors do. They take risk into account during the due diligence they perform on each decision, and handle the remainder by choosing the rest of their “investment portfolio” (the sum of all decisions with impending business consequences) to provide a comfortable balance.

You’ll often read that businesses make decisions, then do what they can to minimize the risk. This isn’t strictly speaking true. In most cases, “minimize the risk” means becoming very skillful.

The failure rate for mergers and acquisitions, to take an example, is around 70%. The reason it’s so big is because most companies that engage in mergers and acquisitions are amateurish at execution. Among companies that are good at mergers and acquisitions, the failure rate is very low.

We’d be done except for one annoying, nagging point: Voluntary risks and inflicted risks aren’t entirely separate subjects. They overlap.

For example: A retailer might choose to locate a store in the inner city instead of a shopping mall. Built into that decision is an increased risk of vandalism.

Does that make the vandalism a voluntary risk? Yes — the retailer chose the location consciously, knowing the crime statistics for the neighborhood. Does that mean vandalism isn’t an inflicted risk? Of course not. In the end, vandalism is a choice made by the vandal, not the retailer.

The risk of vandalism is both chosen and inflicted.

So, with apologies to Dr. Tufte, punning isn’t always an intellectual sin. That’s because Earth isn’t so conceptually sterile that we can avoid punning entirely.

Especially when someone hands us a good straight line.

Comments

Roving e-mail

By: Bob Lewis|In: Industry Commentary|Last Updated: July 2, 2007

That members of the Bush administration used Republican National Committee e-mail accounts instead of their official government accounts leads to troubling questions.

No, not the troubling legal and ethical questions. They aren’t KJR material. If you’re looking for self-righteous indignation on that subject, plenty of political blogs have already plowed that field.

Here at KJR we rarely indulge in self-righteous indignation. Our preferred vices are sarcasm and irony. With that in mind:

Many in the IT punditocracy have made much of the RNC’s amateurish systems management. It’s clear system security and recoverability went well beyond dreadful.

This is no academic concern. The RNC acknowledges it lost hundreds of thousands of e-mail messages and can’t get them back. Unless you interpret the loss as the result of malicious intent, it’s difficult to explain away the problem as anything other than total incompetence. (And can you imagine how frustrating it must for Karl Rove that he can’t retrieve his e-mail archives?)

But that isn’t a proper KJR subject either. Well, it is, actually, but not this week. You’ll have to wade through another few paragraphs for the point to emerge, though, because, elsewhere in the news:

Gloria Long Rollins, Town Manager of Walkersville, Maryland, removed the toilet paper from all restrooms in the town’s parks. Vandals, you see, had set some paper on fire in a men’s bathroom. And so, to combat vandalism, graffiti and drug use in the parks, visitors will henceforth have to bring their own, whether it’s toilet paper, spray paint, drugs or kindling.

Here’s the connection, and its relevance: Bush administration members aren’t alone in ignoring the official systems IT provides them, and Gloria Rollins isn’t alone in overreacting to irritating infractions of the rules. The combination is, to coin a phrase, a vicious cycle.

Okay, I didn’t really coin the phrase. Still, it is a cycle and it is vicious. Please make allowances.

The Bush-league question for KJR readers is how many business users in your company make use of Gmail, Yahoo! Mail!, or Hotmail for business use, and why. The Walkersville question is how you respond when they do.

Here’s the usual response. I’m sure someone somewhere calls it a best practice:

1. IT writes a policy making the use of private e-mail accounts illegal.

2. IT explains to all managers and staff that this is the policy, and that failing to adhere to it will result in disciplinary action, up to and including termination.

3. Someone actually enforces the policy, including termination, proving that in more than one small village, the local idiot has gone missing.

It isn’t that the use of private e-mail accounts is a good idea. Of course it isn’t, as the RNC was kind enough to demonstrate.

It’s that the proper response isn’t to remove the metaphorical toilet paper. It’s better to ask the offending parties, in a friendly, engaging, and entirely unthreatening tone of voice, “So … er … when you compare Gmail to our corporate e-mail system, why do you like Gmail better?”

And then, when they tell you (“Gmail gives me gigabytes of storage. You don’t.”), take what they say seriously.

E-mail is just one example of this common phenomenon: If end-users don’t like the systems you provide, many will find alternatives they like better. If they hate your BPM (business process management) system they’ll put together their own tracking sheets in Excel. If they detest your locked-down PCs they’ll buy their own Macintoshes.

And if they hate your CRM system (“customer relationship management,” but it’s a poor use of the term) they’ll use Salesforce.com, or install Act!

(Not that it matters, but if Yahoo! was to host Act!, where would it put the exclamation points? Oh, never mind.)

For some unaccountable reason, instead of assuming these employees come to the office wanting to succeed at their jobs, many in IT assume they’re malicious vandals who in other circumstances would set fire to the toilet paper in Walkersville’s public restrooms.

I don’t want to push the metaphor too far. I’m not saying Gloria Rollins should have asked her vandals whether they were mad because she didn’t buy Charmin. Even if she had, I’m guessing the vandals would have been too drunk to answer.

So let’s leave it at this: When the employees in your company try to avoid the systems you provide to make them more effective, find out why.

They have a reason. You need to know what it is. Then you can figure out what to do about it.

Other than firing them.

Comments