From Sedlacek to accountancy

While going through Sedláček’s seminal Economics of Good and Evil – which should be a mandatory read for all economics, business, and audit (-of-all-sorts) students, I came across one part that struck me as possibly relevant for direct application in accountancy.
Oh but of course, there’s so great a many more parts that should be applied, the sooner the better. I’ll return one day, in the next couple of months, with probably a series of Book by Quote posts on the book, including some analysis and comments maybe this time. And by ‘direct application’ I meant application as useful underpinning undercurrent, root cause, in tha analysis, of what’s wrong with latter-day accountancy, helping as pointers towards possible improvement(s) there. The kicker is in the tail of this post …

First, this:
DSCN1004[According to legend, the exact spot (flag) where St. George slew the dragon, at the St. Jordi (of course) gate, Montblanc, Catalunya. Somewhat fittingly a bus stop 2 yards away, if you could make this post a similar exact slaying spot of accountancy’s woes ;-]

OK. To start. Sedláček has this chapter where a number of Value systems are lined up. On the far left is Kant, with the good-ness of a man’s actions being everything, regardless of the results. Next from the left towards the middle are Christian and Judean thought, and on with Aristoteles, Epicurists (which I think he interprets, and places, incorrectly), Hedonists and finally on the far Right flank, Utilitarians and Mandeville – Greed is Good or rather: only (!?) vice is good (for progress – and we all need that, right?). When reading this (and, as said, I don’t agree with everything there even taking into account Sedláček’s clear statement that the abbreviation may bend the correctness of content), something struck me:

What if, when, the utilitarians have kidnapped the meek of the middle-to-left; have made them believe that they could remain true to themselves in this hostile world, while at the same time the villains have isolated them from the real world and just harvest their proceeds?

[From here on, it gets contentious. Don’t be put off by what you might interpret as rebellious bluntness. I just have not sufficient time to write it all out in a diplomatic, friendly fashion – a diplomat is someone who tells you to go to heck in such a way that you look forward to the journey]
This, e.g., in the wider society where Jaron Lanier’s siren servers harvest all the data production that consumers do; promising benefits but keeping all the humongous moneys to themselves. And, as said, in accountancy, where the individual accountant (partner) is still allowed to believe (s)he works for the greater good of society, to be a really important cog in (economic) society’s good behavior machine. Where in the mean time, the leading partners (or the jump from individual to collective!) roam off all the vast margins and don’t care less about quality. The latter may sound coarse but considering the pressure on productivity levels and budgets, and considering the declared Holy goal of profit increase (second derivative!) …

Such kidnapping points at the improvements required in accountancy today, in particular re the ‘Big’ 4 their handywork for large organisations i.e. just signing off and caring less (proven) about the quality of investigative work done. The horror to think one would dig deep enough for root causes, that would only cost mo-ney…! and could set us up for confrontation with the client, even by causing the hassle or having to amend (processes – cumbersome and costly, and books – the same).

As stated, this may help in the current discussions about the ‘business model’ in accountancy in particular re the ‘Big’ 4. Where talk is of what the client is that should be served, and how to align payment accordingly. As now, in practice the Board, the very auditee, pays. Officially, the Board of Supervisors (Raad van Commissarissen) does, that in an ideal world would represent not only stockholders’ interests but also other stakeholders’; we live in not quite an ideal world where the RvC has to deal with Regulatory Capture if (not when) they’d be aware of that and would even be aware of the need to break the old boys’ networks. And even then, the client could be the RvC but paying the (external) accountant out of profits comes down to the Board registering that in the organization’s books after the best placed to understand and estimate, the Board, would negotiate the budget. In the end, the auditee pays. Who pays, stays. ‘Whose bread one eats, his words one speaks’ (Dutch). Despite the Good ones trying to maintain their independence, in appearance and practice; this shouldn’t be a struggle but an easy stable starting point not having to depart from or returned back to. Certainly not in public opinion..! But now, is troublesome.
Another option, to hire accountants via the insurance companies that insure the auditee organisations qua malpractice, may work but makes accountants dependent in other ways; insurance co’s aren’t philanthropic institutions and would have their own ways of setting budgets, not ex ante aligned with accountants’ societal interests first.

Thirdly, nationalization of accountants also pops up here and there again and again. Where all accountants – not; only the ones to audit organisations of societal interest – would then be allocated in some way or another to auditees. Regulatory capture and other distortions may readily start off in this mode as well; is this studied well enough? Though in this model, accountants with their legally protected task would earn much capped incomes in line with all (?) other civil servants like street cleaners and PMs.

And, of course, there’s the BOHICA approach.
Which might not even be that bad, if, IF paired with an introspection plus real change where the profit seekers are ousted (and not allowed to re-enter, through changed promotion paths) and the kidnapped are released. So that they can again do their best work, as virtuous (wo)men.

So, this above reasoning all the way from Sedláček to current accountancy business models, leads to the distinction of two different sorts of ‘Big’ 4 partners. Which in turn leads to the kidnap interpretation. Which, in turn, leads to changed promotion paths as way forward.

Aren’t we lucky that accountants know everything about true transparency … because that’s what will be needed when progressing with this. So that no lip service will be paid to these changed business principles.

But wait … all the above should not be news. And appears to be insufficient since, as accountants, the very few who actually do, discussed: shouting for ‘cultural change’ is just window dressing that in itself will not result in said change and may not prove to be doable, as goal. To put it very mildly. We may need more. Along the lines of Mandeville, where the Bad are allowed to exist, are required to exist but don’t tell them (no need), in order for the whole of virtuous society to benefit from them; if there were only virtuous citizens, society would come to a standstill until destroyed (from the outside, mostly).
What if we can devise a (business) model that would actually kidnap the despicable, the money grabbers, and turn them into the nible thrifty termites that we the virtuous ants could live off ..?
[Edited to add: This may require Piketty-style progressive taxes on specific professions, but would that be impossible ..? ‘t Might be done in-house in some way, e.g., by setting limits on the income range, the top 10% earning a max per person of … whatever, times the earning per person of the lower 20%]

I’ll leave you now. A much more extensive analysis may be in order of this subject. Which may or may not follow. In particular re the jump from (sum of) individuals to collective à la Ortega y Gasset and Brian (and followers); an oft overlooked but still Very Hard Problem. But your comments are welcomed already…:

Hiding or in plain sight (IoT dev’t)

In IoT development, there seems to be a disconnect between the hype and the underlying developments. By which I mean that of course, the hype will not play out according to itself, but according “We overestimate short-term impacts and underestimate the longer-term ones”. But moreover, I also mean that there’s a variety of development speeds for IoT. Since there is various types, categories of IoT developing.
As in this here one of my previous posts.

Oh right away:
DSCN8649
[Your office ‘life’, Zuid-As again]

So… what we’re seeing, is certain differences in speeds:

  • B-inhouse IoT develops rapidly; after some decades of slow introduction of robot-driven factories, we’re on the verge of a breakthrough at less than light speed where the same factories will be linked up to form semi-small, mid-size ‘local’ 3D printing warehouses. Maybe. But certainly, the factories will go the way of data centers, that can be anywhere around the world with only rump staffing locally and control being … anywhere else around the world. With the premise that in the ‘Western’ world, there will be sufficient sufficiently educated staff to control the factories elsewhere. So that ‘manufacturing’ may ‘return’ to the West its origination (Industrial Revolution and since). Nearness of production cutting the costly transport now that labour costs become less relevant, and leaving the most pollutive production where locals still don’t have the economic power to fight the externalities. Short-changing economic development in many places where it had barely started in earnest (no ‘trickle down’ yet). Unbalancing global power developments. We’ll see… Or not; these ‘secret’ in-house developments (in particular, within large conglomerates that can pilot) may not be too visible before their join-or-die breakthrough.
  • B2B IoT: Same, somewhat. Moving ahead with cutting out the middle men, DACcing all around. Pure economics (power play by big corp’s; ROI et al.) will determine speed(s) here. Join-or-die aspects play here, too; less in outright competition but more in missing out in cooperation, being left in the dust.
  • C2B IoT: Out in the open, where all the hype is. No concern – as for secrecy of developments; heaps of concerns re e.g. privacy ..!! Critical Mass (as defined in Yours Truly’s seminal graduation thesis of, already, 1990 (on office automation incl e-mail, where it played then) yes a great many years before it was to be called) Network Effect, or – Tipping Point may be the key point for development fits and starts in this one; in publicity, actual adoption and fruitful use.
  • C-internal: Same. Slower due to legacy. I.e., houses already out there. Some have been around for centuries. Massive update ..? [Edited to add: this here toytoolset seems helpful in this area]

We’ll see…

Spam (out) of control

How is it that for decades, we had been used to managerial spans of control being in the 5-to-10, optimal (sic) 8 range, whereas what we had in the past couple of decades is spans of control in the 2-3 range mostly ..? [Duh, exceptions and successful organisations aside…]

Because I came across some post on a well-known business site where there’s an early simple statement that a span of control of 10 would not only be normal, but outdated as well, as the span could be at 30.
Well, I doubt the latter, as this would conflict with a lower ‘Dunbar’ number which indeed is about 8, with ramifications for informal control as outlined in this Bruce masterpiece. Oh yes now it springs to mind the 8 figure was taken by the military, the ultimate built-for-survival organization, to be the optimal span of control, and taken over to business for its apparently attractive all-business-is-war metaphor – where the attraction is there only for those not really exposed to the gore of war, I guess.

But whether it’s 8, 10 or 30, the optimal span of control clearly is larger than the common today’s practice.
Which has implications:

  • Too low a number will inevitably lead managers to seek to have something to do. Busywork, in their role leading to excessive micromanagement (yes pleonasm but on purpose) and/or excessive meeting behavior, in particular with their underlings and/or likewise trapped colleagues, like an AA group. Thus burdening the underlings with time taken away from actual content work and the need for Action item lists and reporting blub. Thus burdening colleagues with all sorts of time lost on, what actually is, whining.
  • Too low a number and the micromanagement leads to extreme (far overextended) controls burdens on the ones who’d actually produce anything of value instead of producing negative value with all their externalities like managers may commonly do. This burdening then leads to ‘process’, ‘procedures’ etc., to ‘standardise’ (otherwise, understanding of actual content would be required; the horror to managers!), hollowing out even further the value of any work done. As in the abovementioned / linked Forbes article; the Peter principle will reign.
  • Too low a number and the standardisation will drive out the creativity (in process and in product/service design/production/delivery) that is required ever more than before to counter the ever more changing environment. As I typed this, this article arrived…

So yes, we all need to focus on upping the number. To counter stalemates. To counter bureaucracy heavens. To regain flexibility.
But still, still, this could only work IF, very very big IF, ‘managers’ (not to address actual managers, that I value enormously!) can loosen their frantic, fear-of-death-like Totalitarian Control attitude.
Which I doubt. But then, organisations relying on these (whether already or after they will have crowded-out the actual managers via the Peter principle and acolyte behavior) will loose out to the upstarts that do keep the mold out.

And, finally, of course:
DSCN1138[Was safe, now the highway passes by somewhere down below, leaving the ‘secured’ stranded upon high; Carmona]

In that Case, No.

Is your organization still replying on ‘business’ ‘cases’ to fund projects? Then there’s a special place for you in Dorchester.
When building such business cases – apologies for not mocking that newspeak already –, have you ever come up with one that did not pass the hurdle rate ..? Or come across a case where no business case was needed because the case for investing was so obvious or it wasn’t most clearly but someone of the Board wanted it so whatever dreadful return was expected all still had to be done?

Which made business cases the spider web that catches the little flies when the big ones simply smash on through.

And the insects that game-change and disrupt your feeding/business model and/or market share, don’t even fly near your web or turned inedible.

How many start-ups go through formal business cases for every investment or pivot ..? And only just making the 10% rate ..? With all costs so exactly calculable as you present those (the 100%+ error rates you leave out ’cause band widths are too difficult to understand by the ones with the money bags. You presume that, they deny that vehemently because it would show them to be the emperors in their newest clothes (but with piggy-fat pay checks), but you are certain of not being able to mark the averages for the cost items so you take lowest estimates), and the benefits monetized [my italics, auth.] to fabulously inflated figures. With oh so many unethical rounds of ‘adjustments’. Newspeak for: cooking the books of your business case. By lack of the hardest of scientifically concrete counterevidence you maintain your weakest of kindergarten estimates still hold.
Again, not very much like the start-ups you envy. You envy for their success rate. Ah, you now say the failure rate of start-ups is dismal. How about the failure rate of your projects; if they had been single initiatives, wouldn’t they have gone bankrupt at an even higher rate? Aren’t your successes the panting hanging-in-by-the-thread shrill-shouts of objectives achievement? Where the start-ups are considered successful only after passing the … maybe 500% return rate; reflective of … business value through non-monetary returns you could only dream of.

Don’t feel like I’m just bullying you like all the rest, with the weapon of slight. I’m trying to provide ammo so you can be allowed to move away from the bleak common business case of ‘decks’ full of PPTs where the content would be much, much better presented in Word and the 6 words shoud be per sheet not per half inch; unreadable, not made to understand. [Why!?!? Why use PPT; why are you using a truck to get a dozen of eggs from the Walmart ..!?]

So, what pointer can you provide to beat the business case system; not to game it but to replace it with another that might actually be useful, functional, in (larger) organisations …?

The two faces of digital transformation

A plain reblog from Esko Kilpi, on the future of information flow within the organization. Very thoughtful. If only you’d be allowed to read it and not be stuck in printed documents …

Diversified Reporting Assurance

Yes, let’s call it DRA. The new wave of “accountants’ statements” in the wings.
[Warning: for those not interested in accountancy, the rest will be boring. Or, let me restate that: very boring. Or even deadly boring.]
Continue reading “Diversified Reporting Assurance”

Inter faces


[Educational institute x 3, campus Free University, Amsterdam]

When sleeping over problems, one often comes up with solutions that both are real and so all-encompassing that they’ll need much elaboration before being applicable in a nimble way.
This one was/is on information security, again. Recall the ‘discussions’ I posted some days ago about (industrial) process control versus administrative control? Well, I’ve some more elements for a grand new scheme now.

It struck me that the operators at the (chemical) plant control room, are the ones with the dashboards. Not necessarily their managers. Nor their manager managers, etc. What if instead of some machine equipment, we plug in hoomans into the whole ..? And let them interact like the übercomplex ‘machines’ that they are, doing their (administrative / service) thing that they (want to?) do. All the way to the point where we have no equipment, just humans (with tools, by the way, but those would be under ‘complete’ control of the ones using them so are just extensions of them). One ‘manager’ could then control quite a lot; have a huge span of control…

If, big if, if only the manager would understand the overall ‘process’ well enough, that is, to be able to work with the dashboard then provided. Just Continuous Monitoring as a job, not much more (one would have 2nd- and/or 3rd ‘lines of control’ (ugh for the expression) to fix deviations, do planned maintenance, etc.). Probably not. But one can still dream; organizations would be flat without chaos breaking out.

And if you’d say it would be impossible altogether, have a look at your SOC/NOC room where techies monitor IT network traffic and systems’ health. They even have some room to correct..! And they are aware, monitor, the appropriateness of what flows over the lines, having professional pride in catching un(machine)detected patterns of irregularity possibly being break-in/break-out attempts. And they leave the content for what it is, that’s for the experts, the users themselves, to understand and monitor if only they would.
Why wouldn’t other ‘managers’ copy the idea to their own desk? No, they don’t, yet. They get Reports that they hardly read, because someone else had thought for them in determining what should be in there. And reports aren’t continuous. Walking around is, but would (rightly) be viewed as micromanagement and a bit too much given the non-continuous nature of what modern knowledge workers do. So, we’ll have to define some gauges that are monitored semi-continuously.

Now, a picture again to refresh:

[Westpunt, Curaçao]

But with the measurements not influencing the primary production ..! To let knowledge workers do their thing, in mutual cooperation without interference by some busybody thinking (s)he knows better for no reason whatsoever.
Through which we note that the use of dashboards should not, must not, start with ‘Board’s or similar utterly superfluous governance levels. Governance is for governments. As it is ‘implemented’ in larger organizations, it doesn’t look like kindergarten kids playing Important for nothing. The use of dashboards should start from the bottom, and should include quite rigorous (but not merely by the numbers) pruning of both middle-level ‘managers’ (keep the good ones, i.e., not the ones that are only expert in hanging on! otherwise you spell death), and all sorts of groupie secondary and third-line staff.

Which will only work if you haven’t yet driven out all the knowledge workers by dumbing down their work into ‘processes’ and ‘procedures’ that are bereft of any productive (sic) rationale. And if you haven’t driven out all the actual managers and are left with the deadwood that is expert only in toeing the line or rather, sitting dead still in their place.

Now have a look back also on how you do information security. Wouldn’t the little bit of tuning you may need to do, be focused best on the very shop floor level that go into the ‘industrial’ process as inputs? You would only have to informationsecure anything that would not be controlled ‘automatically’, innate in the humans that handle the information (and data; we’ll discuss later). Leave infosec mostly with them, with support concentrated at an infosec department maybe, and have managers monitor it only to the extent necessary.

And, by extension, the same would go for risk management altogether. Wouldn’t this deliver a much more lean and mean org structure than the top-down approaches that lead to such massive counterproductive overhead as we see today? With the very first-line staff that would need all the freedom feasible to be productive (the managers and rest of the overhead, aren’t, very very maybe only indirectly but certainly not worth their current income levels!) then not having to prove their innocence… See Menno Lanting’s blog for details…
Org structures have become more diamond- than pyramid-shaped; which is plain wrong for effectiveness and efficiency…

So let’s cut the cr.p and manage the interfaces, vertically, and horizontally, noting the faces part; human. An art maybe, but better than the current nonsense…

The P (part 1, too)

Now then, for the grand Part 1 of the People of Information Security. À la the triangle I posted on earlier (see somewhere below) where the People aspect floats around the triangle like a dense cloud; obscuring your clear view and posing a foggy unclarity threat.
To jot down, there are many aspects of People that we have to deal with, but let’s start with some random unstructured angles:
[Generalife, Granada]

People are a Threat. Externally, they are the actors, not random Acts of nature. No, they, they! the people, the masses (even in Ortega y Gasset style), they exist only to attack us!
How nice if you believe such, how nice to all those that have a sense of community and either don’t care to attack you even if it could be to their (risk-weighted) profit, or even help you, tacitly or visibly, explicitly. How hard do you work to alienate all those, too? Notwithstanding that there are indeed some out there that want to attack you: Have you ever stepped into their shoes to figure out why ..? If (very big if) you really stepped into their mindset, wouldn’t you do the same because by their reasoning, you ‘deserved’ it?

People are Vulnerabilities, on the inside. They are frail, failing their duty-above-all to follow your procedures, excuse me the word F.ck the contributions to the organizational success; your procedures are sacred of course?

People are Means in information security. That’s actually what they are in the People, Process, Technology trio. Vulnerability, and Threat by the way, if they deviate from how you wanted to deploy the resource, but they can also be very powerful ‘allies’ as resource to deploy in information security, information safety [nice idea, to defuse the old phrase], information asset protection. People are the thing (sic) that might follow Process using Technology to achieve protection. People are the ones to task doing to safeguard your information assets. They may not be perfect, but they will for a long time to come be the actual actors and re-actors.

People are psychological constructs acting in sociological environments. I cannot write this often enough: Read and re-read Bruce Schneier’s Liars and Outliers, to understand how these People may operate in your artificial society called organization (oh the wishful thinking in that word…).

People then, will have to be included in security design in the prominent role they have not as an afterthough. They will have to take center stage indeed, as alpha and omega of information security organization.
We’ll have to find ways to really start with People and see how their work may be structured, and how their work may be supported (not the other way around!!) by Process and Technology. Process as a little handy tool, not as the raison d’être – an uphill struggle it will indeed be, but also sign of the times already! Totalitarian bureaucrats beware; the Age of Compliance is waning. See a future blog. Technology as a little handy tool (in big plural), not as the first to arrive and to bolt a bit of Process and very maybe even People onto here and there.
But we haven’t explored such a design direction at all, yet! We have no clue, no metholodogy, no vocabulary, to describe such a ‘design’ …

That’s where you come in; through your comments I propose to crowdsource such a methodology. Be part of it!

Maverisk / Étoiles du Nord