Category: Information Risk Management

Span (out) of Control

How is it that for a long time we were used to managerial spans of control being in the 5‑to‑10, optimal (sic) 8 range, whereas what we had in the past couple of decades so often was spans of control in the 2‑3 range ..? [Duh, exceptions and successful organizations aside…]
Because I came across some post on Forbes where there’s an early simple statement that a span of control of 10 would not only be normal, but outdated as well, as the span could be at 30. Well, I doubt the latter, as this would conflict with a lower ‘Dunbar’ number which indeed is about 8, with ramifications for informal control as outlined in Bruce Schneier’s Liars and Outliers.

Oh yes now it springs to mind the 8 figure was developed by the military, the ultimate built‑for‑survival organization, through the ages to be the optimal span of control, aligning with the apparently natural Dunbar number. It was then taken over to business for its apparent effectiveness, and its apparently attractive all‑business‑is‑war metaphor – where the attraction is there only for those not really exposed to the gore of war, I guess. From which the fearful, the accidentally pushed into management roles clueless managers, tried to do what they thought was the gist of managerial literature: fight all uncertainty that might threaten your career. Through micromanagement, through requiring all data to be reported. Not to use it wisely, but to just pretend to be in control. And, if you don’t understand, just do with less direct reports to shrink what’s coming at you.

[Intermission:
DSCN2260
That man on the pole was quite a good leader it seems.]

But whether it’s 8, 10 or 30, the optimal span of control clearly is larger than the common today’s practice. Which has implications:

  • Too low a number will inevitably lead managers to seek to have something to do. Busywork, in their role leading to excessive micromanagement (yes pleonasm but on purpose) and/or excessive meeting behavior, in particular with their underlings and/or likewise trapped colleagues. A bit like an AA group. Which burdens the underlings by taking time away from actual content work and creating the need for action item lists and reporting blub. Thus losing time off colleagues with all sorts of, what actually is, whining.
  • Too low a number and the micromanagement leads to extreme (far overextended) controls burdens on the ones who’d actually produce anything of value. Instead of producing (net) negative value with all their externalities that managers may commonly do. This burdening then leads to ‘process’, ‘procedures’ etc., to ‘standardize’ (otherwise, understanding of actual content would be required; the horror for petty middle managers!). Thus hollowing out even further the value of any work done. As in the abovementioned Forbes article; the Peter Principle will reign.
  • Too low a number and the standardization will drive out the creativity (required in customer service and in product/service design, production and delivery). Where that is ever more essential than before to counter the ever more changing environment. As I typed this, this article arrived…
  • Colleagues (or rather, underling staff) will be demotivated due to having less and less time to do the work they’re assessed and valued for by the organization, and having to produce ever more TPS reports for overhead purposes. This will bring down performance, both directly and indirectly. And by the way, all the controls will also suffer by staff demotivation leading to less effectiveness or even full evasion. With equally rising risks for performance.

An extension to ten, or even twenty or thirty would be very well possible as well, in these times of massively improved information and reporting options. The latter aligns quite well with the increased need to at least have a little oversight left.

Though that would require much more empowerment (again) of your employees. That are the knowledge workers par excellence, right? If you don’t have those yet, you may have an entirely different but even more pressing problem… Have the real knowledge workers left, don’t they want to join anymore, or have you unconsciously but actively numbed them into sully drones? Whatever the cause, the real knowledge workers know better than their manager how to do their work – that’s why they do it and not the manager. If it were the other way around, it would be beneficial for the organization to have the manager do the grunt work. And no, micro management is something else.

The empowerment should go hand in hand with different styles of leadership, direction and oversight. Not based on ‘objectives’, made ‘smart’(not) for Pete’s sake, but based on truly smart KPI’s that leave employees room to do their business in ways they see best fit. Not rails, but guiding rails, and no yard-by-yard route directions but some A and B and a road (?) map. Or, well, a good navi system – or would you the manager want to pull the steering wheel for every correction? Reporting can similarly be made smarter anyway, or is that wishful thinking. In times of smart analysis with big data or not, this should be feasible.

And keeping just a little oversight is enough already for a good manager, and quite different from total(itarian) ‘control’. The former is needed to lead and direct, the latter is paralysis through total suppression and denial of a capricious reality.

And oh, for the record, some form of hierarchy will always be needed, even in fully horizontal network organizations with 360° feedback and what have we. Just re-read Flat Army by Dan Pontefract; without collapsing to a free‑for‑all hippie group, there are quite many ways to manage more humanlike. There just are so many ways to flex- and telework from home or anywhere, and a mature manager and her/his organization will pay for performance not mere attendance over performance.

So yes, we all need to focus on upping the number. To counter stalemates. To counter bureaucracy heavens. To regain flexibility. Still, still, this could only work IF, very very big if, ‘managers’ (not to address actual managers, that I value enormously!) can loosen their frantic, fear‑of‑death‑like Totalitarian Control and compliance attitude. Which I doubt. Maybe we should start to let such managers pursue other careers elsewhere, those that are specialists in sticking to their own chair by sacrificing all capacity and performance in times of cost savings. Then, the ones that are not good at that because they really try to achieve something for their organization wouldn’t have to be let go by the numbers and restore some positive balance of managerial capabilities.

But then, organizations relying on the control freak managers (whether already or after they will have crowded out the actual managers via the Peter Principle and acolyte behavior) will lose out to the upstarts that do keep the mold out. There’s hope.

You(‘)r(e) right(s)

Well, whatever percentages in this; Voltaire was right. Even if there would be just one citizen who’d think otherwise, all others should (also) defend his (her?) right to be wrong, to the death.

As it’s already five o’clock (here), have a nice weekend, with:
DSCN0823
[Not quite St.Pat’s Day material, still quite equivalent of the Green … Frankenmuth, MI]

Total priv’stalking

Errrm, would anyone have pointers to literature (of the serious kind, not the NSFW kind you only understand) regarding comparison of real physical-world stalking versus on-line total data collection ..?
No, not as some rant against TLAs but rather against commercial enterprise than not only collects, but actively circles around you, wherever you go. Giving you the creeps.

Because the psychological first response is so similar, can it be that the secondary behavioural response / adaptation is similar, in self-censorship and distortion of actual free movement around … the web and free choice of information ..?

And also, whether current anti-stalking laws of the physical world, would actually work, or need strengthening anyway, and/or would/could work or need translation/extension, to cover liberty of movement and privacy-as-being-the-right-to-be-left-alone i.e., privacy as the right to not be tracked, privacy as the right to anonymity everywhere but the very very select very place- and time(!!)-restricted cases one’s personal info is actually required. Privacy as in: companies might have the right to have their own information but not the right to collect information of or on me (on Being or Behavioural) as that is in the end always information produced by me, through being or behaving. The (European) principle still is that copyright can be granted, transferred, shared out in common parlance by payment for use (or getting paid for transferring the right to collect such payments) i.e., economically, but not legally; the actual ownership of the copyright remains with the author!

See why I excluded the TLAs ..? They may collect all they would want but not use unless on suspicion after normal-legal specific a priori proof; that’s their job. No officially (…) they may not step outside their confined remit box, but they do have a box to work within.
Now, back to the question: Please reply with other than the purely legal mumbo-jumbo that not even peers could truly understand but just babble along with.

In return, in advance:
DSCN0535
[Foggy (eyes), since in the olden days, probably never to be seen again; Bélem]

Non-Dunbarian compliance

Just a note that the world is in great need for more on Dunbar’s numbers in antidote to totalitarian-bureaucratic compliance efforts.

go-on-gif
Nah, wanted to, but have more urgent issues to discuss. E.g., tomorrow. See you then!

The beauty of variance

Oh why did we think that mere straightforward compliance with one definitive set of rules (however principled, or detailed) would achieve anything worthwhile ..?

Why didn’t we consider the inherent, innate beauty of variance and variation, beyond mere secondary usefulness in resilience/robustness ..?

Because reasons. The perennial one being Fear, probably. Fear of uncertainty. As there’s downside risk in that. Where all the risk management still focuses on. Yes, no, no denying that; all models still have any ‘impact’ of any ‘event’ as a single negative number. If (in the every-part-but-when sense) we would inculde positive, good possibilities and outcomes to count as well, wouldn’t we end up with zero average impacts in many places ..? Like the great many places where non-compliance is conscious just because the enterpreneur wants to achieve something worthwhile hence other than compliance ..?

But what if we turn risk management into the brushing off of the rough edges of beautiful sculpturing that enterpreneurs and true managers do ..? Chiseling away grey/gray unusable material to keep the beuatiful statue that was in the stone already to be released ..?

Those that want nothing to bloom may await nothing but their ignomous and insignificant death. In the mean time, don’t bother the one sthat want to achieve something, please.

After which I remind you: That’s all secondary talk. Primarily, seek the beauty of variation for its own richness. Hence:
000021 (9)
[The view from my field office, once. Y2K was a party on St. Lucia…]

Partially compliant: as a solution

I was recently informed by a respected colleague in a peer-to-peer discussion (see; they’re useful!) about a development of his in the Compliance arena.
About not having just one single Statement of Compliance that all too often wipes deficiencies under the rug for the sake of agreement everywhere. But having two, one on (first-lines’) management awareness of deficiencies as things to actively manage and actively discuss with second and third lines, and one on abstract, ‘anonymous’ no-blame control effectiveness.

So, when the Three Lines of Defense would actually work (yes I’ve ranted against that on this blog frequently as the simpleton approach inherently can’t work!), first-line management can provide their own list of control deficiencies, and the second and third lines can only confirm and not add much of at all. Then, the first line is in control (all is well and/or known-and-WIP), over their own stuff. Hence, awareness ✓ effectiveness X. When the first line doesn’t have much but the 2nd/3rd lines add quite some (other) things, awareness is X and effectiveness is undetermined. Only when the first line doesn’t have much and the second/third lines cannot add quite a few things, will awareness be ✓ and control effectiveness be ✓

Which sounds like a far better, and in practice far better palatable approach than just one messy jumble-together undetermined opinion. For which I leave you with:
DSC_0030
[The bus buck stops here at this chaotic (?) shelter; Aachen. In Control statement: similar]

Effectiveness or Compliance

In assessing ‘compliance’ of your … [fill in the blanks and then colour the picture], do you actually go for correct set-up and design, and operating effectiveness ..?
If so, you’d be ready when the design is suitable.

Though a great many of you would still consider operating effectiveness proven by repeated measurement and establishing everything runs smoothly according to procedures, including the capture and re-alignment of exceptions.

But you would be wrong. That’s just verification in the weakest form.

Actual operating effectiveness would have been dictated (meant literally, not ‘literally’-figuratively) by an appropriate design. The design should be such that there is no way in which, e.g., any transaction could escape procedures, ever.

Which would require very careful study of procedures, the result of design. Which would fail when the design wasn’t aimed for totalitarian control. Which is the case; the design almost always is focused on obtaining the most basic of functionalities of a system – that includes catering for some exceptions, the bulk of the foreseeable ones; at most – not capture all and everything as that would indeed be impossible ex ante. Hence, the inherent impossibility of total operating effectiveness. There’s always unheard-of, thought to be impossible exceptions at the lowest levels of detail. (Let alone in the infrastructure on which any system would have to run, at about all abstraction layers of ‘system’ that one can study.) And there’s Class Breaks, and penny-wise but pound-foolish type of ‘exceptions’ at higher abstraction layers (all the way up to ‘the CEO wishes this. He (sic) only has to wish for it to be done already’).
So, already in the design phase, you know to fail at Operating Effectiveness later, however perfect you think you’re doing. And you delude yourself further if you’d think that the design will be implemented perfectly. On the contrary, in the implementation the very reality will have to be dealt with, where the nitty-gritty will derail your ideas and something that is a bit workable at all, will be the most you can achieve. Always, ever.
Hence there too, you lose a lot of ‘perfection’.

Whihc may show in operations or not. If you don’t look careful enough, you might arrive at a positive conclusion about somewhat-effective control operations. That has little to do with effective operations by the way; the latter (client service) being greatly disturbed by your ….. (insert expletive describing subpar quality) controls.
If you look careful enough … you don’t even have to; just point out where controls didn’t operate effectively and qualify that as total SNAFU.

Oh yes, in theory (contrasting practice) it just might work, by having all sorts of perfectly stacked control loops on top of control loops (as detailed here) but these have their leakage and imperfections as well and would have to be infinitely stacked to achieve anything approaching closure so nice try but no cigar.

Conclusion:
Set-up/Design and Implementation are everything, Operating Effectiveness follows: OE fails logically.
ISAx Statements Type I or II: Logically inherently deficient hence superfluous money- and paper waste.
Revert to Understanding and opining on your guts. It takes guts, yes, as risky as that is, but pretension of logical reasoning and/or sufficiently extensive proof-of-the-pudding auditing (on the paper-based pudding …) cannot but fail: Non-compliance found: negative rating; no non-compliance found: failed at the task.

I’m done now. For you:
DSC_0016
[Just a side corridor, neatly controlled (for!) decoration]

Modelling innovation

Just a note: Why do we see so many sites, posts, models, templates how to organise innovation ..?
Wasn’t Innovation about not being squeezed into models or templates ..?
Or are the ones actually innovating, not interested and the ones that are, not innovating ..?
I’ll come back to this later, if needed. For now:

DSC_0015
[Ideals, at Cologne]

Your ASI-MBTIFuture

With all the discussion on the future of work, and how finally! we would be able to do ‘only’ creative, (physically/mentally!) non-repetitive work and/or where and how jobs for that could be craeted or would we all be doomed to be some (un/underpaid) Leisure Class, I suddenly realised:
The future of work depends very much on your myopia of what all ‘workers’ would want.

As about 60%+ of ‘workers’ at all levels of intelligence at/of work including pure mental, knowledge workers, would prefer simple 9-to-5 type jobs, with the predictability and security it brings (requirement…). Established per hard science. Only 40% or less actually wants the wild, the change, the uncertainty-is-beautiful.
So, will 60%+ not be able to make the transition or only not want to and maybe be able to after sufficient pressure is applied ..?

Which brings me to the find I did. Myers-Briggs.
Yes, yes, it indeed is discredited by some, to some extent. But it’s still the most recognised, most recognisable and easily applicable method to establish one’s own interests [with inclusion of the caveats and recognition of its time dependency and outcome variability]. I mean,
MyersBriggsTypes
Is easily assessed (though I’d recommend the more extended questionnaire versions, e.g., from some books). And personally attempted-falsified.

Some take it to the limit. Resulting in:
myersphilo
but really I’d say that’s pushing it, and why?

To which above type ‘scores’ there’s also career advice, also in books and on-line. Like:
MBTIjobChartSmall
Note the remarks at the bottom. Variants apply, like this one which is skewed to sales/marketing business, I think..

But nevertheless, the overall trend is clear: When you’re an I, and/or S type in particular, and maybe too much of the T and J into the mix, you may find it harder and harder to adapt to the on-going exponential (?) fuzzification of work. If you’re in any of the ‘typical’ trades, you may either become the Expert of Experts, retreating into an ever smaller corner until retirement, if you can hold out that long, or bring your characteristics to other trades (remember, yin and yang both have an element of the other within them – this applies here as well), or retrain yourself psychologically to better fit the trades that may be left until ASI overtakes us. [As in this post]

If you can …

I’ll leave you with:
DSCN6848
[For no reason – or, how many trades have come and gone in this environ… Sevilla]

Tip: Morozov’s Click Here

Ah, maybe I’m the one not having paid attention, but I see so little response (which would be: digesting and repeat) of the ideas of the great Morozov in his To Save Everything, Click Here, as e.g., here (to be clicked).

Which is quite a contrast with his content, having a major discussion area in itself, about every other paragraph throughout. Yes, that makes it just a little bit harder to retain the main plot (?) line and the ‘details’ as well; it seems a bit like the asymmetry in information security where the defence will have to fight (? debate, rather) on all sides when attackers (the ones with the blindingly large blinds/blinkers on, headless chickens) can move their individual spearhead attacks forward anywhere – but in this Morozov case, one can count on the defense having the much more and more importantly, much better, arguments on its side. One should not count arguments, but weigh them (Cicero).

“Huh, no content of the book here …” Indeed not. Get it and read! I’m off now to finish reading, leaving you with:
DSCN4458
[Ah, the one little part where The Hague is somewhat like a big Milanish / Parisian city; unedited hence the off light conditions]

Maverisk / Étoiles du Nord