Repost, article originally posted on ComputerWorld UK
Have you ever noticed how good humour can make you laugh and cry at the same time? Laugh because the situation it describes is so ridiculous, cry because it is “too close for comfort”.
Recently I came across “the Hitchhikers Guide to the Galaxy” (again) and once again I was confronted with the “Not my problem field”. For those not acquainted with the guide the “Not my problem Field” explained in my own words (I hope the creators of the guide do not object too much to my interpretation): In the distant future it is recognized that most creatures are curious by nature. Therefore trying to establish invisibility technology goes against a basic force in the universe (curiosity) and thus is very hard if not impossible to achieve.
However another basic force in the universe is the tendency of creatures to shy away from things that might have a negative impact on them. So instead of convincing creatures that something is not there one should convince them that they should consider it “not their problem” because showing an interest might have negative impact for them.
As a result they will ignore items surrounded by the “not my problem field” effectively blocking it from their mind and making them invisible. Hence the “Not my problem field” technology is developed in the future according to the Hitchhikers Guide.
When I came across this section of the guide once again I had the tendency to laugh and cry at the same time. Since I was reminded of the “not my problem field” theory I became convinced this is not an Einstein like theoretical line of thought (disguised in comedy) I am now convinced we see the practical impact of these forces in the universe in everyday life. When I hear a project manager say that operational maintainability of the IT System he is supposed to deliver is not described in the specification and therefore not his….. I think: Field operational! Or the IT domain that has no idea what business value of IT means, strong field in place!
But the worse of them all is the field created by outsourcing. It is amazing how many organizations believe that if they outsource their IT (Support, development, etc.) things like Information Security, IT Compliance and even IT (related) Risk are no longer their problem. Only recently somebody told me that they had an SLA (with penalty clauses) with their external providers so IT Security, IT Control and IT Risk were no longer their problem.
So I asked him if he thought the existence of penalties ensured that the provider would always meet the SLA values. As an example we looked at the Service Level were the provider promised he would resolve 90% of all high priority incidents within 4 hours and 100% within one workday. Focusing on this promise alone we could easily come up with a number of scenarios were the provider just would not be able to meet the commitment even if he wanted to.
This showed two things:
1. One should look at 100% promises with suspicion
2. Penalties are not risk mitigating controls
At best penalties transfer the risk from the customer to the provider. Based on this realization customers should think of the potential impact of their providers failing to meet their service levels. On most cases they will find that the penalties imposes do not even start to cover their potential losses (both material and immaterial) recent examples of data privacy breaches for example show the incredible reputational damage these can do.
The fact that the IT Service Provider might share some of the blame almost never eases the pain for the organization. The situation becomes even worse if one realizes that it is common practice amongst IT Service Providers to implement risk mark-ups for those contracts involving penalties. In this case the mark-up is reserved to pay the penalties should they be imposed so basically the customer pays for his own penalty!
So where do all these “not my problem fields” come from if they are so undesirable? In the case of outsourcing they are actually a sales argument “outsource and all these operational issues are no longer your concern we will handle them for you”. What this statement fails to recognize is that you can outsource (operational) responsibility but not overall accountability towards the organizational owners and stakeholders.
Furthermore “not my problem fields” are the (unwanted) side effects of establishing governance structures and their supporting assignments of authority and responsibility. On the one hand it is undesirable that everybody is involved with each and every decision because such an organization would lose all agility. On the other hand every time somebody is excluded from the decision making process a small “not my problem field” is established and it might become stronger over time.
So when you accept that “not my problem fields” exist and are very often undesirable how should one react? I came across one organization that had (at least in theory) the answer and till date I feel they do a good job with the operational implementation of the solution. For this organization the solution comes from one of their core cultural values. The value is called “enterprise first”.
It basically means that the overall good of the organization comes before the individual interests of, managers, departments, divisions, etc. If somebody is asked to assist with an issue he cannot respond that he will not assist since “he is not responsible” (read: not my problem) if the enterprise benefits from resolving the issue everybody should think “enterprise first” and assist if required.
With this solution it is important to realise that it is comparatively easy to commit such a corporate value to paper. However to implement it and make it part of the standard attitude of all those who take part in the daily operation of the enterprise is a completely different challenge. The more so if you realize that those involved with daily operations are not necessarily employees of the organization these days. In recent years a growing percentage are temporarily assigned external (human) resources that might not share (or be exposed to) the same core corporate values.