One of those great sayings from Gaping Void. Generally if you look at an organisation and trace back the various rules and regulations they can normally be seen as arising from past failure and the attempt to correct it. There is a sub-class here, of controls arising from a re-engineering exercise. In this case we get rules based on idealised processes the net result of which is denser informal networks to find work arounds in order to mitigate the impact of excessive structure. I call it a sub-class as such root and branch exercises normally arise in consequence of some failure to create breathing space.
Rules lock in process, and create a need for more rules. It may be no coincidence that I am writing this on Armistice Day, approaching the 11th hour of the 11th day etc. The First World War arose from a set of lock in relationships and interdependencies that could not be stopped, and at a lower level with less global cost, but equivalent persona cost, we see the same in many an organisation today.
You wonder what would happen if an organisation had the sense to relax constraints? You could start by mapping the informal social networks that exist, and relax the rules where those networks were strongest. Let them pick up the strain and see how they manage (they are defacto doing it anyway). Get a few successes then start to look at creating controls not to define what people should do, but to create some loose limits or constraints. Any system needs controls, but an organisation is an ecology not a machine and we therefore need to focus on operating conditions rather than prescriptive action.
Comments (1)
Relaxing controls... this is a hot button for me.
A challenge for a public company in the US doing business with the federal government is the need to comply with several laws that mandate controls on our information management, including: implications for e-discovery under the new Rules for Civil Procedure (2006); Federal Information Systems Management Act of 2002 (FISMA); Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II); The Sarbanes-Oxley Act of 2002; etc. Then you add EU Data Privacy "guidance" when you want to do business across the pond, and it starts to really get interesting.
My observation is that the trend towards uniformity is underway, at least in my industry, and is reinforced by the external and internal auditors who decide the compliance is best evidenced by "best practices." I don't know if there's an answer to relaxing controls that are outside the firm's purview, but I suppose I'm asking how one can assure that compliance can be achieved without resorting to a consultant's 'best practice' or other mimicry.
Posted by John Bordeaux | November 12, 2007 3:26 PM
Posted on November 12, 2007 15:26