What on earth are managers up to these days? Here I write of the rise and rise of robotic, one dimensional, management-by-formula, and question if it is throttling innovation.
In linguistics, there is a rhetorical fondness of the imaginary “Martian Linguist” who, according to Chomskian thinking, on a visit to Earth would deduce from the evidence that all humans speak the one language, with only minor local variants. Well, I’m thinking that if management theorists from Mars were to watch the goings on at most board rooms today, they could be forgiven for thinking that all human enterprises are actually engaged in the same activity – compliance!
It might not be politically correct to question governance in these risk averse times, but here goes. Can we dare to ask, what is “governance”? In effect, as practiced, it is meta-management; that is, management of management.
The orthodox way to manage managers is simple really. First we get them to exhaustively write down what they and their work force should being do in their business. The documents are nicely formatted according to a standard table of contents, handed down. While it’s not always obvious what people are up to, thankfully processes and procedures may be divined from the everyday hurley burley, through all manner of workshops, special analytical tools, methodologies and the help of highly esteemed consultants. And then, with shiny new manuals in hand, meta-management proceeds by regularly auditing what’s going on, and applying corrections whenever a deviation from the chosen path is detected.
Over the course of twenty years in R&D and high tech industries, I have seen a steady succession of management methodologies that at their core are essentially the same: software development lifecycle management, the Quality movement, information security management, risk management and corporate governance (especially post Enron) and now privacy.
Compliance demands measurement. But unlike traditional industrial processes, most business processes are rather intangible. Managers all know what it’s like when their kids ask “what do you actually do all day Mummy?”. It’s not just the technical details of one’s job that makes this a tricky question – all serious management is subtle, personal and often unpredictable. So the only way to make business processes measurable is to document them, attacing tangible hooks here and there, so that they are rendered auditable. And then a terrible spiral develops; the only way to "increase" compliance is to increase the documents and the audits.
The orthodox governance mindset seems to breed an attitude where the only way to improve Risk Management (or Security or Privacy or whatever) is to create ever more detailed documents and submit to ever more detailed audits.
There is no limit to the amount of documentation that can be enthusiastically generated in any modern business. We start with standards, codes and policies, and move on to processes, procedures, and work instructions ad infinitum. It’s the very opposite, emotionally, of “analysis paralysis”. It feels so good, so productive to be specifying our business processes, that the act can become the main mission.
I don’t think mine is an overly cynical view. Seven years in the medical device industry in the 90s, followed by 12 years in information security, has shown me countless audits in which the dominant findings were that such-and-such a process was not properly documented, or not being properly measured.
The auditors' principal mode of work is to come back every 12 months to check if the documents and metrics found to be missing on their last visit have since been written, tracked and posted on the intranet. This sort of cycle is deeply robotic (in a way it is supposed to be, because of the understandable desire for metrics to be quantitative and objective). But the audit cycle too often veers from mechanical to moronic. Most of us have probably experienced the sheer inanity of an audit when the auditor is brand new, has no understanding of the business, and is simply re-tracing last year's report, and when the staffers are also new and are reading, often for the very first time, the documents written by their predecessors. They can't see the forrest for the trees.
We might all we agree that "Privacy is good for business" – just as self-evidently (?) "Security is good for business" and "Quality is good for business". But orthodox privacy/security/quality compliance regimes come with huge and unwelcome overheads, and it has to be said that the links between compliance and the bottom line are tenuous, subtle, controversial or frankly marginal. The benefit of compliance is not intuitively obvious to junior staff; instead it is the stuff of MBA courses and Harvard Business Review articles.
I wonder if the deep problem in orthodox meta-management is that it treats management like it must have an underlying algorithm? An algorithm is a repeatable procedure (akin to a recipe) that takes a fixed set of inputs, combines and processes them in a step-wise fashion, and eventually spits out an answer. If you want to boil an egg, or optimize a production run, or simulate the climate, then there are algorithms that do the job.
Consider conventional Threat & Risk Assessment (TRA). It is conducted algorithmically. You draw up a table that lists all known threats. For each you rate its probability of occurrence and its potential degree of impact. The algorithm then weights all the inputs, rolls them up and tells us simply whether to "Fix now", "Fix later" or "Don't worry".
If each TRA was started with a blank sheet of paper, and a genuine effort was made afresh to discover all real significant threats, then that would be great. But in reality most TRAs are cut-and-paste from the last TRA; few if any fresh inputs are considered. And even if an effort is made to look diligently for new threats, scant regard may be given to the philosophical problem of not knowing what you don't know. It's impossible to tell if a threat that has been missed by a TRA (and yet we kid ourselves that TRAs give conservative answers).
Logicians have long known that there exist very simple problems for which there are no algorithms. For instance, there is no algorithmic solution to the "Stopping Problem" in Computer Science; that is, no computer program can be written that will tell us if another program, given as input, will ever stop. Similarly, there is no efficient algorithm for the "Traveling Salesman" problem (how to work out the shortest route for visiting every town connected by an arbitrary network of roads).
So it should not surprise us that in human affairs, there is probably no algorithm for management. It is high time that we tempered our expectations that organisations will benefit intrinsically from adopting standards, writing policy documents, auditing compliance with those documents, and continuously writing new ones.
"Quality is dead", indeed, killed off by the mechanistic naivety of the Total Quality Movement. Yet the very same meta-management paradigm of document, audit and document some more, was adopted in the Information Security industry and continues to be extended endlessly (the only thing better than the old standard ISO 17799 is the new standard ISO 27001; it’s as if standards intrinsically weave magic). It seems to me that the Sarbanes Oxley regime reflects the same thinking. This huge set of new overheads (not to mention, rich vein of consulting opportunities for the professional services firms) was a response to the shenanigans of white collar criminals. One has to wonder how the introduction of new compliance rules is really expected to deter crooks who aren’t exactly given to following rules in the first place?
Of all the different flavours of meta-management, at least it can be said of TQM that it was motivated by a desire to enable a better job to be done. But all the other methodologies are about a less risky job being done. How can this mindset not suffocate innovation?
Don’t great organisations have some sort of spark? Aren’t entrepreneurship and innovation usually fuelled by smart people who see things that others have not? Encouraging our people to “think outside the box” is such a hollow cliché in practice. In respect of process, it should mean buck the process! But few organisations these days truly reward people for stepping outside the strictures of compliance and governance and security, to accommodate new views – that is, to look for the unexpected inputs that elude any algorithm. Surely if we wish to cultivate innovation, originality and creativity, then we need fewer standards, not more.