Why IT departments need to learn to give up control
Enable the business to do more with technology, instead of less
By Bob Lewis | CIO US | Published: 16:30, 29 March 2011
"Improvisation is too good to leave to chance," said singer Paul Simon. It's a lesson that IT needs to learn and, more important, act on.
We're surrounded. Here in the land of information technology, we're inundated by threats and not just from the bad guys, although there are plenty of those to worry about. Never mind them, protecting the enterprise from its own workers is a much bigger challenge for IT because of employee desires:
- Using their own PC when they work from home and sometimes even at the office.
- Visiting Facebook, LinkedIn, YouTube, and other sites that have both business and personal uses without any IT-imposed restrictions.
- Installing apps, such as iTunes, Picasa, InfoSelect or the Google desktop, they'll find useful based solely on their own judgment.
- Working with iPhones, iPads or Androids, usually their own, not the company's.
- Accessing some amazing cloud-based service that lets them do right now what isn't even scheduled to launch until 2013 in the IT project master schedule.
All of the above either turns IT into Dr. No or puts the corporate crown jewels at too much risk, right?
As someone once said, those who fail to learn the lessons of history are doomed to repeat the seventh grade. To keep us all out of middle school, consider the chart below, which superimposes a brief economic history of the United States (based on the unemployment rate as provided by the Bureau of Labor Statistics) and IT's overall level of control over corporate information technology:
The chart tells the story: When IT lost control of information technology as PCs empowered individual users, the US economy expanded. When we regained control, the economy contracted. The same thing happened when someone who almost always wasn't in IT put just about every company in the country on the web, along with lots of new companies that kept their web development teams carefully separate from IT, and when IT regained control of web development.
Correlation doesn't of course prove causation, but the lack of linkage between IT keeping tight control and economic success isn't the best news for those in our profession who spend most of their time locking down plans and details.
Control is about playing it safe, preventing the unexpected, continuing to do only what we know, avoiding risk instead of managing it, colouring inside the lines instead of asking for a blank sheet of paper. The problem is, many of the risks you avoid are also opportunities you fail to pursue. You also end up becoming a member of the Value Prevention Society.
Three inescapable trends that have changed the IT landscape
The IT landscape has changed in three fundamental ways that together are making our habit of control obsolete:
- A vast expansion of IT's scope
- A radical increase in business user sophistication
- The nascent dominance of single actor business processes
It's the Yogi Berra theory of roads, and IT is facing it right now: We're at a fork and we have to take it. One path ignores these changes and follows IT's tradition of controlling the use of information technology. The other, better choice redefines IT's role, turning us into stewards who support everyone's ability to more effectively exploit information technology's potential.
Let's explore the three trends that have brought us to this fork (and seem to be poking us with it).
Vast IT scope expansion
Take a moment to track IT's sphere of responsibility over time:
- 1960s and early '70s. Core accounting functions: general ledger, accounts payable, billing/accounts receivable and payroll.
- Mid-'70s through mid-'80s. All of the above, plus full or partial automation of core non-accounting processes such as inventory management, purchasing/supply chain and order entry.
- Mid-'80s through early '90s. All of the above, plus personal effectiveness and communication technologies like email, word processing, electronic spreadsheets and presentation software.
- Early '90s through late '00s. All of the above, plus e-commerce, work process management, content management and further expanded communication technologies (web conferencing, for example).
- Late '00s to the present and beyond. Even more of the above, plus social media, expanded media (YouTube, podcasts) and an explosion of client platforms to support.
Makes your head hurt, doesn't it?
Business user sophistication
Starting in the early 2000s, households with computers outnumbered households without them. While this was happening a few cadres of gamers, people accustomed to figuring out new user interfaces because that's part of the fun and no more difficult than learning how to drive a rental car, began to enter the workforce.
At the same time, their parents and grandparents, still in the workforce, were enjoying pictures of their grandkids that arrived by email, blissfully unaware that they were part of a major change in business realities.
IT's old "White-Out on the screen" assumption of business user ignorance has become obsolete. Business users are, if anything, too comfortable using information technology. Otherwise, IT wouldn't have smartphones, iPads and social media to worry about. Business users would be terrified, doing their best to avoid them all while playing solitaire on their desks with real playing cards.
IT's new challenge isn't to get business users to work with the technology in front of them. It's to prevent them from improvising when the provided systems don't address the situations they have to deal with or don't surface the features that address those situations. Anyone who's ever been part of a data cleanup effort resulting from different users putting the same information in separate database fields knows this.
And everyone who's ever had to cope with a mess of Excel front ends and back ends to the official business systems, either as a result of official systems that aren't flexible enough to address the business's needs or the lack of IT staff to adapt them, knows this even more.
Single actor business processes
We're at the confluence of two competing computing metaphors, call them the mainframe and portal views of computing.
The mainframe view is what IT is accustomed to, never mind the actual technology deployed in the data centre. It's a mindset that puts the enterprise applications in the middle, with human beings using computer terminals (now tightly controlled "thin clients") at the periphery. The enterprise applications manage the company's "core processes." The human beings perform process roles according to the rules laid out and enforced by the enterprise applications. It's the mass production business model.
One problem: The mass production business model fits fewer and fewer businesses, and even within businesses that still engage in mass production, fewer employees have mass production jobs.
In mass production's place are an increasing number of business processes performed by single actors and often performed only once, to deal with an unexpected situation.
To understand how business processes are collapsing from assembly lines to individual actors, you can look at an item as prosaic as the interoffice memo. Once upon a time it was a four-actor process: The author wrote a draft longhand or dictated it. From there, it went to the typing pool, then back to the author for editing, then back to the typing pool. Next, the author's manager handled final editing and approval before being typed for signature. Finally, the mailroom delivered it.
Yes, little Johnny, that's how it used to be done back in Grandpa's time. The process commonly required days. It's now a single-actor process completed in minutes: The author composes an email, IM or text message and sends it.
Increasingly, responsibilities that used to go from desk to desk are handled by single individuals who draw on whatever business resources they need, mostly those available through the computing device that sits on their desk.
It's the portal view of computing: The desktop or laptop computer, and increasingly the smartphone and tablet, are portals to the array of resources employees need to handle modern business processes. That's a good reason to get away from the "single software image" mentality that denies users flexibility in the apps they use.
Along with this change is decreased reliance on standardised processes and an increase in the level of creativity required for success. Probably the best understood example is the move away from standard reports to BI-driven analytics. The difference: Fixed reports answered whatever questions the report's designer knew to answer.
Business intelligence systems stand this on its head. Managers and analysts will have different questions at different times, and fixed reports will only answer these queries by accident. Business intelligence systems let them ask whatever questions of the data occur to them and get answers right away.
IT's new job: Being the steward of technology use
These three trends, IT's expanding sphere of responsibility, business users' greatly increased sophistication in the use of computing tools and the move from standard, multiperson business processes to fluidly changing single-person responsibilities mean IT's habitual control-based approach to managing a company's information resources must change as well.
It has, in light of the circumstances. IT's expansion means there's too much to control. Business user sophistication means there's less need to control it. And the rise of single actor and one time processes means control inflicts more harm than good, by preventing employees from being as effective as possible.
IT's new job is to support the portal view of computing, whenever and wherever it makes sense. That brands us as stewards, not owners: We take care of resources so as to ensure they're available to whomever needs them, wherever they need them, and in whatever form they're needed. We also help people get to whatever other resources they'll find helpful (not simply that they need, that's too tight a constraint), whether or not they're within IT's sphere of responsibility.
What will this new version of IT look like? If experience has shown us anything, it's that when the subject is big change, predicting anything beyond the first few baby steps is an exercise in futility. What we don't know far exceeds what we do know. Still, here are two baby steps you'll definitely need to take if you want to head down the opportunity-based fork in the road.
Baby step 1: Syndicate the risks. Everyone who works in information security knows this game: The company doesn't establish a clear security policy. With no business-driven statement of the ideal balance between risk and opportunity, the CSO's group has no choice but to go into full prevention mode, whether or not it makes business sense, because it will be blamed for any intrusions or malware outbreaks that occur.
It's the same deal in the new world of stewardship, only it's bigger. CIOs who want to move beyond a control-driven model of information technology will have to obtain a broad and deep consensus in the executive suite that the benefits warrant the risks.
Baby step 2: Convert or get rid of the Eeyores, and can the enforcers. Just between us, how many members of your IT staff think technology is really cool, and how many are Eeyores? How many are gamers, prefer ebooks to paperbacks, take notes on their iPads in meetings instead of using paper, agitate for the latest and greatest technology and constantly propose new and clever ways the company could be more effective ("if only we'd just do x")?
How many are, instead, like Winnie the Pooh's downcast friend Eeyore, thinking only about what will go wrong now, on how likely it is that rain will ruin the picnic, and anyway their tails will certainly fall off.
If you want to move from control to stewardship, from the mainframe view to the portal view, you'll need more enthusiasts and fewer Eeyores to help drive the change. It's the enthusiasts who'll actively support the opportunities instead of seeing every one of them as a new way for business users to make their lives more miserable.
And you'll need to get rid of your enforcers, the ones who think it's up to IT, rather than the employees' managers, to make sure employees are spending their time productively. The enforcement mentality will always find reasons to keep employees away from opportunities.
How radical is the required change? Both a little and a lot
Even with this significant shift in approach, most of what we do in IT will look the same. Although this change sounds dramatic, our day-to-day work, normalising data designs, optimising database performance, designing service/object models, configuring and integrating various commercial software packages to do the basic work of the business, and keeping the infrastructure available and performing well, will look very much as it does today.
In this new world, we don't get to ignore compliance requirements, either. Taking off employee handcuffs and leg irons doesn't mean everyone can do everything without any constraints at all. But it does mean we stop using compliance to rationalise steps that are more for IT's convenience than for maximising business value. Sometimes it will even mean we stop enforcing compliance via technology, relying instead on training, management and employees' good judgment. Think you can't rely on employees to make the right decision? Then why would anyone hire them in the first place?
Mostly, the change is a 180-degree shift in attitude. That makes it a culture change, which business leaders know can only happen slowly and gradually, not by hitting a switch.
Since you know it's going to be a slow process, there's no time to start like the present.